Received: by 10.223.185.116 with SMTP id b49csp4192732wrg;
        Mon, 26 Feb 2018 12:56:19 -0800 (PST)
X-Google-Smtp-Source: AH8x2251/btjEfHaLykh31MasvlfZtQviVDf8WLV7Ska+P29Y2alMR3hQ6QGVp5jJI99hlsXeete
X-Received: by 2002:a17:902:6184:: with SMTP id u4-v6mr11667320plj.390.1519678579439;
        Mon, 26 Feb 2018 12:56:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519678579; cv=none;
        d=google.com; s=arc-20160816;
        b=nYPk9ZM2D0LqBmCBxWnNh3oO77MG1t1/9TO+6AqEORfhS8ENx1V2cggvNpSt9G2Gx9
         2lB+yblMLHMEnvWFJrlpfrVutvwYZLihWYx5/a1kS8TjfHZEAW+WxR3mGnwr3R1JZy60
         plYrlekAotXqMkbHR0e0YF92XYqnSW4SctXMTtrBQ9+MRVfZq3A6tNx51tq/sfY/pJp0
         RdAeAI8zkWbezMExDPb9x+KBm0fTNzT5q4L0UEs7ChMuBiMExvTadQKVKtZhsNjhjVmY
         Twvez6tUeJZ/7Onj4oCRkO5Nyg+CcuRcZzhl/63/Mz05jNQNazBoQVL4APqet1cPnVtb
         iVNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=AIo+u6BJn8BhCNoAlVdWi3t+4Lzow1AF3SxaaeAY4NQ=;
        b=OGkJxJUzmLH6lcutAnqlRtDJwM1Z9fR1IysnACEn1ggGtxwwqptOGMSuwVQFKNPp5C
         3aleGuXfpixBkrQ/S/ORcvaLpJQ+ZSPur/NjuNHnnQ2w/fTL4MBbHHdOvCi4rUfYGVUN
         cbkhEIb+M7SEfxkuoh3CRTd/jsauRSjuwsyRKKu9clbNN66tGRvnh+Tm0mxPuoJ1nP7Q
         y4A1snXE49LogXbMxga4jzc11xg4pAO87R0ZaUkSjy24jbGDiyTKffc93u3eN2hKP7nK
         EBEuuPkAry50bmemG46LZJY0cTc+eEezWv5sglK0IKhk5guyC3p9jWb5M5WCoJwGbP+h
         YaQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m4si5976561pgc.351.2018.02.26.12.56.03;
        Mon, 26 Feb 2018 12:56:19 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752659AbeBZUzH (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Mon, 26 Feb 2018 15:55:07 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:34774 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752648AbeBZUXX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Feb 2018 15:23:23 -0500
Received: from localhost (clnet-b04-243.ikbnet.co.at [83.175.124.243])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8D808EC2;
        Mon, 26 Feb 2018 20:23:22 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        David Howells <dhowells@redhat.com>
Subject: [PATCH 4.14 12/54] X.509: fix NULL dereference when restricting key with unsupported_sig
Date:   Mon, 26 Feb 2018 21:21:49 +0100
Message-Id: <20180226202144.975088910@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180226202144.375869933@linuxfoundation.org>
References: <20180226202144.375869933@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 4b34968e77ad09628cfb3c4a7daf2adc2cefc6e8 upstream.

The asymmetric key type allows an X.509 certificate to be added even if
its signature's hash algorithm is not available in the crypto API.  In
that case 'payload.data[asym_auth]' will be NULL.  But the key
restriction code failed to check for this case before trying to use the
signature, resulting in a NULL pointer dereference in
key_or_keyring_common() or in restrict_link_by_signature().

Fix this by returning -ENOPKG when the signature is unsupported.

Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and
keyctl has support for the 'restrict_keyring' command:

    keyctl new_session
    keyctl restrict_keyring @s asymmetric builtin_trusted
    openssl req -new -sha512 -x509 -batch -nodes -outform der \
        | keyctl padd asymmetric desc @s

Fixes: a511e1af8b12 ("KEYS: Move the point of trust determination to __key_link()")
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/restrict.c |   21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -67,8 +67,9 @@ __setup("ca_keys=", ca_keys_setup);
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a
  * matching parent certificate in the trusted list, -EKEYREJECTED if the
- * signature check fails or the key is blacklisted and some other error if
- * there is a matching certificate but the signature check cannot be performed.
+ * signature check fails or the key is blacklisted, -ENOPKG if the signature
+ * uses unsupported crypto, or some other error if there is a matching
+ * certificate but the signature check cannot be performed.
  */
 int restrict_link_by_signature(struct key *dest_keyring,
 			       const struct key_type *type,
@@ -88,6 +89,8 @@ int restrict_link_by_signature(struct ke
 		return -EOPNOTSUPP;
 
 	sig = payload->data[asym_auth];
+	if (!sig)
+		return -ENOPKG;
 	if (!sig->auth_ids[0] && !sig->auth_ids[1])
 		return -ENOKEY;
 
@@ -139,6 +142,8 @@ static int key_or_keyring_common(struct
 		return -EOPNOTSUPP;
 
 	sig = payload->data[asym_auth];
+	if (!sig)
+		return -ENOPKG;
 	if (!sig->auth_ids[0] && !sig->auth_ids[1])
 		return -ENOKEY;
 
@@ -222,9 +227,9 @@ static int key_or_keyring_common(struct
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we
  * couldn't find a matching parent certificate in the trusted list,
- * -EKEYREJECTED if the signature check fails, and some other error if
- * there is a matching certificate but the signature check cannot be
- * performed.
+ * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses
+ * unsupported crypto, or some other error if there is a matching certificate
+ * but the signature check cannot be performed.
  */
 int restrict_link_by_key_or_keyring(struct key *dest_keyring,
 				    const struct key_type *type,
@@ -249,9 +254,9 @@ int restrict_link_by_key_or_keyring(stru
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we
  * couldn't find a matching parent certificate in the trusted list,
- * -EKEYREJECTED if the signature check fails, and some other error if
- * there is a matching certificate but the signature check cannot be
- * performed.
+ * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses
+ * unsupported crypto, or some other error if there is a matching certificate
+ * but the signature check cannot be performed.
  */
 int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring,
 					  const struct key_type *type,