Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2512969imm; Thu, 7 Jun 2018 11:56:19 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLU+T58UOEyfBdaOBkAToVVqjza3xDS76edzCEHaQJfmTJIdWwob1r1wZB0EQ2GI246HtFs X-Received: by 2002:a62:c00e:: with SMTP id x14-v6mr2842798pff.67.1528397778990; Thu, 07 Jun 2018 11:56:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528397778; cv=none; d=google.com; s=arc-20160816; b=BsMMdk0+i7PeKcmE2HAsEgHVZQ7Yppl/lV2J4r85/BJTAtfuVMW6GRFjZ6POlMNFt9 XiK0+wR/mwM2r83JkUNLCbeQF00bN60bPTP628YkThN7GFQpgCZykr5KNhtKGO/WmfTc 9mGZEno/oIalEx97qkclScCRB/nVsrqxznnE+a10LICujwipV1g+h12Rc0zpCxOa6OWO wQNGec67JrpfeTJkepZO/xiFZU5tNwHu/mSWihXbn8Jel0ym5W5fFBdPZ35Pe5a6opR/ ilvqVTYaBwWtPOglyDEjMstw5LkNaeDdZOZH8h+L3KHFQr/wvBIGZownCIjgI2rEzfto TbTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=nUdO6WsD+JgupdVFRUox1aCZ6cw4mIxbvHSQG4BeaVU=; b=dkFIycBujyixEfk8s+g8J31Z+xqP4VVgxJiwtjfg4rinczaj2Pt5yQxGaqur9AUu8I Sx5OnJimfwuMnWLVQMO7WoablXDbf0St3EJCD0I6kev76c0T8gqsGv1mIP2jCCAXw1GH 2hbY7l3ykqVpCy+i273iJqqFSzlvct/fsEK2ZNv2SNuOymsRiQ8d//DLg8zaSjvnGzoz XAAQXAH+lnfBDgaVrRcAnQu0VJsFrFfT6xI/NiPafxClrl6wK8jWKNf7n+ZFq0ptAXFo U3nbZkXYhRUWOS7lRyeaowErOczpsVWTEKfkHF1qACq/dwjUtaOpr7gu4atvwjb3EeTR RpHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 99-v6si54068366plc.362.2018.06.07.11.56.04; Thu, 07 Jun 2018 11:56:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935188AbeFGQAa (ORCPT + 99 others); Thu, 7 Jun 2018 12:00:30 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39335 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933046AbeFGOJH (ORCPT ); Thu, 7 Jun 2018 10:09:07 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvb7-0005Zo-KA; Thu, 07 Jun 2018 15:09:05 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvb3-0002va-Qf; Thu, 07 Jun 2018 15:09:01 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Trond Myklebust" , "Eric Biggers" , syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 158/410] NFS: reject request for id_legacy key without auxdata In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 49686cbbb3ebafe42e63868222f269d8053ead00 upstream. nfs_idmap_legacy_upcall() is supposed to be called with 'aux' pointing to a 'struct idmap', via the call to request_key_with_auxdata() in nfs_idmap_request_key(). However it can also be reached via the request_key() system call in which case 'aux' will be NULL, causing a NULL pointer dereference in nfs_idmap_prepare_pipe_upcall(), assuming that the key description is valid enough to get that far. Fix this by making nfs_idmap_legacy_upcall() negate the key if no auxdata is provided. As usual, this bug was found by syzkaller. A simple reproducer using the command-line keyctl program is: keyctl request2 id_legacy uid:0 '' @s Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring") Reported-by: syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Trond Myklebust pbwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- fs/nfs/idmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/fs/nfs/idmap.c +++ b/fs/nfs/idmap.c @@ -577,9 +577,13 @@ static int nfs_idmap_legacy_upcall(struc struct idmap_msg *im; struct idmap *idmap = (struct idmap *)aux; struct key *key = cons->key; - int ret = -ENOMEM; + int ret = -ENOKEY; + + if (!aux) + goto out1; /* msg and im are freed in idmap_pipe_destroy_msg */ + ret = -ENOMEM; data = kzalloc(sizeof(*data), GFP_KERNEL); if (!data) goto out1;