Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3011782imu; Sun, 9 Dec 2018 15:05:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/X26sHVzkbKO2IJABBVrnWuH0M+Io5gJA7xfTG6cESHiKEQMjkzO6o7OpP4wXf+YNhLRO5n X-Received: by 2002:a62:4b4d:: with SMTP id y74mr10094092pfa.186.1544396708013; Sun, 09 Dec 2018 15:05:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544396707; cv=none; d=google.com; s=arc-20160816; b=sIBxLoGSe75A9akN0TcmHtwwjSPfq6BYlUf3eX7Q6pYzp8wn+HSo+E1HTI4XmYi314 ItbjkTSOOqQkwvwjkkCmg68WvYhF1qu6sz+SEC6gl989gI8c9MqV7KPzYG7LUe6WPkGR GJvsrHnkTn1OSRL2QXdNG9adnOLjIq6VgGeJDaP/zrmEp7rerpAV7KpZDDcZQzGIP8i/ xY2KsKKzypLfsFLq4CVGCWnWywgIgQhvUTnS1/Zji3fNjBmNddsjJ9PJIbTmmnZxymVB aNL20er5OdYppUVNYeEQb9MstblOuEN0QddUTiwW1ngBdxfGmxxM0hLDZPlvgsMTpQhI Y6/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=ld8Q0bKYAqLNdbJKjbvMRqYL0EV4jNlt+jJYBjKm8to=; b=zN+jmzAIWdfP/FGryxStvVENzdZfZyhIbi3Po1UoYgm+E8lR400IHeXtp6QDsAb0i4 A1PIz5Tca/PT6pm24vtyubbCW75EUQvREQ1/k+BSa8Bl48P4354cwA4W8f0NHIUERmbf YvCx09FMuda5ONliObLcI2QoPC1JamRmCPr8sgPpGMD32MDP0YFKOaSFKY2JzgmV4Is5 ygpmKysAXTgZGUbj0KQmezmtrQY05HU7dhJxZa0sxmHnyRIgXT28Dh8kDBXSDBcCrgxA NX8MMR+945p0si8mz9S9QxtC0yGdnl2s4KJ95WD0Kr6iowPwydSMlNJcZY/wYoBixDez DyrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b15si8512563plm.431.2018.12.09.15.04.52; Sun, 09 Dec 2018 15:05:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728019AbeLIWTI (ORCPT + 99 others); Sun, 9 Dec 2018 17:19:08 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35596 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726581AbeLIVz1 (ORCPT ); Sun, 9 Dec 2018 16:55:27 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72q-0002po-Nd; Sun, 09 Dec 2018 21:55:24 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72l-0003hS-Oc; Sun, 09 Dec 2018 21:55:19 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Eric Biggers" , "Mimi Zohar" , "David Howells" , "James Morris" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 322/328] KEYS: encrypted: fix buffer overread in valid_master_desc() In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream. With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Ben Hutchings --- security/keys/encrypted-keys/encrypted.c | 31 ++++++++++++------------ 1 file changed, 15 insertions(+), 16 deletions(-) --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const cha */ static int valid_master_desc(const char *new_desc, const char *orig_desc) { - if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) - goto out; - } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_USER_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) - goto out; - } else - goto out; + int prefix_len; + + if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) + prefix_len = KEY_TRUSTED_PREFIX_LEN; + else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) + prefix_len = KEY_USER_PREFIX_LEN; + else + return -EINVAL; + + if (!new_desc[prefix_len]) + return -EINVAL; + + if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) + return -EINVAL; + return 0; -out: - return -EINVAL; } /*