Received: by 10.223.176.5 with SMTP id f5csp1134482wra; Tue, 6 Feb 2018 13:20:22 -0800 (PST) X-Google-Smtp-Source: AH8x224crf/kqL8DNT6ccibjdUkaY0URbUIslMfuGpLxp8ZGyXKQY8NHA9Jk+2UHonX5rOg9W0NE X-Received: by 2002:a17:902:7789:: with SMTP id o9-v6mr3679485pll.84.1517952021988; Tue, 06 Feb 2018 13:20:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517952021; cv=none; d=google.com; s=arc-20160816; b=Wlgk7DwucR01i2hkEB/tCwsffmdhtGGAWTTDGXdTWbI45vkh/MnIebeQ2eAy5b439S 9vOA7wPt9MZmxaO6k0N44DJCTQDyFEzChg9GWY/02haBp04V4Ik4q81IFLJ/RJBPMDsC obcCo3eCxgA2K8hHCj+53wkADnORc1nIgSQy1q/OtJiWhRCprZkMCf7aNZjk5D8rszfE gcBbhkFZ2SUpqgSCy6QUWPerRHKxxWbjUiMd2roaY2pC3nLDZAOLc/cz80LHBWzwqN9J q2MDU8rtAxYxCwEjZlQU5Z3HG4Y60iw8QeDMH43/M+R0BbFYV0z9QToI7M3ZNKNfr6sN um0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=NfkxbBKlXqKeRo2gKV1asQteXkoyCREeDxqrrzIAgzw=; b=bFa4nzU1hbNSTrMHHq7t5Ap/HUcCAVU+VUtD1tUmyiIOWFLbpu1P+I4mO/NO65fcvx A1DJt9hem9PiazcHGwYH5rxLHpeAOCIdlszAAxVqJ4Igk0yS9fIyhMHtXFa/uwVMeVi+ t6KF+2Ihqi6Zixno6wq9g9ugibvS5mV0EJu19/u5GK++3eNJ+rYrGjtL7lT8WzOus2b1 LvixdxYeriSnrfOGAhbV20UZdVVhQL6N7TJP9TFii6gwRFLa1o+9hXlypeXm4QLcWEa+ PFEONkdp15IWyjKEdeFGFa5YvXo4e5jUXiCnwudtsGLJQCBWEDYJAfMySr3JF6ez65aA q6yA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=ZQxd+v8Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x65si952711pfa.74.2018.02.06.13.20.08; Tue, 06 Feb 2018 13:20:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=ZQxd+v8Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754048AbeBFVTN (ORCPT + 99 others); Tue, 6 Feb 2018 16:19:13 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:33911 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753213AbeBFVTL (ORCPT ); Tue, 6 Feb 2018 16:19:11 -0500 Received: by mail-pf0-f194.google.com with SMTP id g17so1187552pfh.1 for ; Tue, 06 Feb 2018 13:19:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=NfkxbBKlXqKeRo2gKV1asQteXkoyCREeDxqrrzIAgzw=; b=ZQxd+v8YYhcEHnYlj2nYo8FZBvab6PJXhlmk4N4JzWGCqCcZLStn6fbtU/AGDmGxIq D8TreCkA23F2PzLxzJ6RxYuF+29yl70q1kWl+Tma9EXpqdS/yqWumMLhkIckCgzPhc7P Uv0a7vVmVi99+Ki+LUTtsRVt0bMPDCJkx9Aez7TljE9dE1ceUYu9/BWug49m3O6maI5n VyYhkSr3PQ8kLn19Ajp504m52C5YA60eGNzqD1TMiw+h2VddqhcG8b/tt//y6HsvSzw8 4h+DKjqWF9vrBc/HwgwxrWvJGqO/Qvgk+ylM3rtM/QA9hqJY184eSX0YW3PUQnz/FuK4 eC1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=NfkxbBKlXqKeRo2gKV1asQteXkoyCREeDxqrrzIAgzw=; b=HOq1086YH2ocwMmZ7Kl4C2UmgGNx11zq/kcRrpavvMBNp2wUwARsVAjAQh5Toa1ZhR qT86/S6kWlo6zYTt2oLks0hxhpGHLt84FnUQNFKa/pgBb5J3B4UwQA1YUwt66HlR/yoQ eukDzrLaAQpDiFM3+MAwVAnxdIoAUBhKD7Pzf94lmNSq6ZF0I4uOEyE0F9qrHENm4Mti lWCo8DRLJ004evPhRiHw3OIC7vHUuIWh87CasKEMJ3oka3rH8K8SO8GRxd/n5BmxKanu 4ZZ2F4mZqqk+I1vF7+wsB8HkbDP4VvrYh39UqHyvRlG2MVHkZAjqKQ40AP7oEjLt3ALU S8pw== X-Gm-Message-State: APf1xPDsNtHJlI0vLJ4b1Yco1m+7JB9fYonq2s8fQfWdcpLM5K0rRLPX FXQ0q7iC+ScXAvKwp+m53YCtEA== X-Received: by 10.98.78.148 with SMTP id c142mr3658237pfb.153.1517951951360; Tue, 06 Feb 2018 13:19:11 -0800 (PST) Received: from jinqian2.mtv.corp.google.com ([2620:0:1000:1601:756c:3217:2035:e37b]) by smtp.gmail.com with ESMTPSA id j3sm21111929pfh.39.2018.02.06.13.19.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Feb 2018 13:19:10 -0800 (PST) From: Jin Qian To: Mimi Zohar , David Safford , David Howells , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, keyrings@linux-nfs.org, linux-kernel@vger.kernel.org Cc: Eric Biggers , linux-stable , Jin Qian Subject: [PATCH 1/1] KEYS: encrypted: fix buffer overread in valid_master_desc() Date: Tue, 6 Feb 2018 13:19:00 -0800 Message-Id: <20180206211900.3565-1-jinqian@android.com> X-Mailer: git-send-email 2.16.0.rc1.238.g530d649a79-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: linux-stable # 3.18.y Cc: Mimi Zohar Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Jin Qian --- security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 89d5695c51cd..20251ee5c491 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc) */ static int valid_master_desc(const char *new_desc, const char *orig_desc) { - if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) - goto out; - } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_USER_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) - goto out; - } else - goto out; + int prefix_len; + + if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) + prefix_len = KEY_TRUSTED_PREFIX_LEN; + else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) + prefix_len = KEY_USER_PREFIX_LEN; + else + return -EINVAL; + + if (!new_desc[prefix_len]) + return -EINVAL; + + if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) + return -EINVAL; + return 0; -out: - return -EINVAL; } /* -- 2.16.0.rc1.238.g530d649a79-goog