Received: by 10.223.185.116 with SMTP id b49csp589780wrg;
        Fri, 16 Feb 2018 04:05:26 -0800 (PST)
X-Google-Smtp-Source: AH8x2254BMVjC7MGSHWUonRKOu1xvkOfNXclq4L34jzI9uKSgl3qI6L/lHKW5CCjbPPzyKr1SRWy
X-Received: by 2002:a17:902:48:: with SMTP id 66-v6mr5538124pla.288.1518782726378;
        Fri, 16 Feb 2018 04:05:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518782726; cv=none;
        d=google.com; s=arc-20160816;
        b=sxOTIWT444R/7+ISR1pNSQXdbqxuONRoNjDDJTcN9jAVcv3bMkb0a1kXhJSL2UwKyM
         ENd/7yCVvv2PdVgPtRqBwl8/CYeaujn0Rl6P0jrR4vL0rg1xE4mZuoiUrfp06rMERHVD
         KY4pL9QPwdEYSrGMLDMfXznbBTVuCjVeBwTp2vHxjg4WxC30EsLT4MIxstSk57a+SjW0
         mvagprW412PdJgiqPxsk8Z8xFbA9xiLaUJjOoINvi7023TOFjD0YTC+5Y9hAgwPDVg/z
         MUgZBWA9zJRm82If9lrhvOeb7pwDEOjvQCMvHMeQRuvEJy3OLSTRK5ZtmudaWeDPQJHe
         65Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=FLqpZoeduAMfK3SRJg8Uj98AXqCrG25X4nTpFqc6CIw=;
        b=0q3aohbkie4E5xuIXP/bzJkX0FkIt0D4NSDBYhtdsZ2m7sWxrVgydzlZou0KGNn5wi
         SGHHK5wtgyK8jnVR4ubUrQf5bpOush2yb1n+xwaAsdCis/J+hK5au9Qbpbqm4bDX4lSk
         Bx5z+8sHhAK+q4pK1I+UalQV/NAC2vp1bbxw03zqzj01LRwrEpk5WORj25Z4tg1AbLES
         YCsXzT9A0N9x2yPFAOdOBpyOUDOL2m8W55kSGTpDw6Di1wqYR2fW+/vTYapzeQpS5mwK
         eXwM2SE1uSsY+deLfrLRQTRjHqNmrDjcqIYl6kQOZCGkGLn65dqaIlnz60JKZc1EqiEy
         V+NQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g6-v6si2801232plj.159.2018.02.16.04.04.47;
        Fri, 16 Feb 2018 04:05:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1166146AbeBOSNK (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 15 Feb 2018 13:13:10 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:53752 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1163744AbeBOP2M (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 10:28:12 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 87978FBE;
        Thu, 15 Feb 2018 15:28:11 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com,
        Eric Biggers <ebiggers@google.com>,
        Trond Myklebust <trondmy@gmail.com>
Subject: [PATCH 4.9 25/88] NFS: reject request for id_legacy key without auxdata
Date:   Thu, 15 Feb 2018 16:16:52 +0100
Message-Id: <20180215151226.151984706@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180215151222.437136975@linuxfoundation.org>
References: <20180215151222.437136975@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 49686cbbb3ebafe42e63868222f269d8053ead00 upstream.

nfs_idmap_legacy_upcall() is supposed to be called with 'aux' pointing
to a 'struct idmap', via the call to request_key_with_auxdata() in
nfs_idmap_request_key().

However it can also be reached via the request_key() system call in
which case 'aux' will be NULL, causing a NULL pointer dereference in
nfs_idmap_prepare_pipe_upcall(), assuming that the key description is
valid enough to get that far.

Fix this by making nfs_idmap_legacy_upcall() negate the key if no
auxdata is provided.

As usual, this bug was found by syzkaller.  A simple reproducer using
the command-line keyctl program is:

    keyctl request2 id_legacy uid:0 '' @s

Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring")
Reported-by: syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Trond Myklebust <trondmy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4idmap.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/nfs/nfs4idmap.c
+++ b/fs/nfs/nfs4idmap.c
@@ -567,9 +567,13 @@ static int nfs_idmap_legacy_upcall(struc
 	struct idmap_msg *im;
 	struct idmap *idmap = (struct idmap *)aux;
 	struct key *key = cons->key;
-	int ret = -ENOMEM;
+	int ret = -ENOKEY;
+
+	if (!aux)
+		goto out1;
 
 	/* msg and im are freed in idmap_pipe_destroy_msg */
+	ret = -ENOMEM;
 	data = kzalloc(sizeof(*data), GFP_KERNEL);
 	if (!data)
 		goto out1;