Received: by 10.223.185.116 with SMTP id b49csp4197557wrg; Mon, 26 Feb 2018 13:01:29 -0800 (PST) X-Google-Smtp-Source: AH8x227ULzmi7xHuIymudHMVb8hsckRSysyXN8KEK6PKtyih7YDzr6ydU+ynN29ggWvcYlwMDltP X-Received: by 2002:a17:902:10d:: with SMTP id 13-v6mr11705782plb.266.1519678889727; Mon, 26 Feb 2018 13:01:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519678889; cv=none; d=google.com; s=arc-20160816; b=nEAyMT/WKX5lkwwZ3KAETVnkdvTiUh4YvurMKW3vLP9mnsH218tPfV6pXxI96zaiax fseD26tEtgfbI7nzz2znbfbkfqqcQZ7FiN6GsXIttIQq2O+0wGHScvGpfg7AbrXHo66S c2izZtDxll7Y5LGjCfMjpOSM3t3fZE5zeukgpUoFjAEipLJxV4H0YplwJXovlN6mt4ec O0x6ks1gs0NqcysG48JRHYLuEvOqryo95IAjqetmuYW3shkalBRt24hL1md9P93Lwd4Q mo+Yan9oOtlYC8PuTRWU9jQ8JpPUlqnyuGAi1Mn8GFfvm1DmnbGYVUs3r4cezuOe/PEh 1wjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=GaY7ZRfSvpKsVDibuWMp4JbtIPsXmo8E3zlBWRLJKVQ=; b=MtnO8Ye14lx4IJJkuEAueX/6KycrJgTMt5Xz+2QDLrTKXx8N2X8qcni8403suidDNM RNi9Im/21jhGWO5n5jlMlUS2qytxvxIM+kjZPHYLQbyXWe51SnCfS166mYuQAmnzwOUZ 6LTrQRv0PYmY1YmvjF5N9eJ1agi2BuYygYd3ljSNqA+pnDx+sxEBx4fCdEq7dq1yaKUg TFk2U7c6ob1AOy5dr/iz6i6sHDXOptypjGgALvhvf7fkhC0oBNrCfu4JaF//kkvw0mye z1HqDSIKLAEuAGT4o7KjZMVMSEpuhO16P4gK+VtfYBWNwcCtdvQR19Z7AkzhtTm035kA HvqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d70si4512800pfj.238.2018.02.26.13.01.13; Mon, 26 Feb 2018 13:01:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752455AbeBZUWR (ORCPT + 99 others); Mon, 26 Feb 2018 15:22:17 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:34000 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752013AbeBZUWM (ORCPT ); Mon, 26 Feb 2018 15:22:12 -0500 Received: from localhost (clnet-b04-243.ikbnet.co.at [83.175.124.243]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 538C9E33; Mon, 26 Feb 2018 20:22:09 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , David Howells Subject: [PATCH 4.9 28/39] X.509: fix NULL dereference when restricting key with unsupported_sig Date: Mon, 26 Feb 2018 21:20:49 +0100 Message-Id: <20180226201644.906209281@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180226201643.660109883@linuxfoundation.org> References: <20180226201643.660109883@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 4b34968e77ad09628cfb3c4a7daf2adc2cefc6e8 upstream. The asymmetric key type allows an X.509 certificate to be added even if its signature's hash algorithm is not available in the crypto API. In that case 'payload.data[asym_auth]' will be NULL. But the key restriction code failed to check for this case before trying to use the signature, resulting in a NULL pointer dereference in key_or_keyring_common() or in restrict_link_by_signature(). Fix this by returning -ENOPKG when the signature is unsupported. Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and keyctl has support for the 'restrict_keyring' command: keyctl new_session keyctl restrict_keyring @s asymmetric builtin_trusted openssl req -new -sha512 -x509 -batch -nodes -outform der \ | keyctl padd asymmetric desc @s Fixes: a511e1af8b12 ("KEYS: Move the point of trust determination to __key_link()") Cc: # v4.7+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman --- crypto/asymmetric_keys/restrict.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -66,8 +66,9 @@ __setup("ca_keys=", ca_keys_setup); * * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a * matching parent certificate in the trusted list, -EKEYREJECTED if the - * signature check fails or the key is blacklisted and some other error if - * there is a matching certificate but the signature check cannot be performed. + * signature check fails or the key is blacklisted, -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. */ int restrict_link_by_signature(struct key *trust_keyring, const struct key_type *type, @@ -86,6 +87,8 @@ int restrict_link_by_signature(struct ke return -EOPNOTSUPP; sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; if (!sig->auth_ids[0] && !sig->auth_ids[1]) return -ENOKEY;