Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3189663imu; Mon, 17 Dec 2018 15:09:14 -0800 (PST) X-Google-Smtp-Source: AFSGD/VObNYblNNWJO6xJlXe9TlHOVVSc+fuOHh3FH1n+vN6asblihMbGf/7eDwHgb2sGaJJnLMJ X-Received: by 2002:a17:902:e20b:: with SMTP id ce11mr13774355plb.251.1545088154316; Mon, 17 Dec 2018 15:09:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545088154; cv=none; d=google.com; s=arc-20160816; b=v2KLoT2knInhVEJ/r+pIgvDxX6HU5nCLOTKHYMO6WrVUon6iPyI0C4i8/1ul35Kmhl DMgK3BelbCXrR2Q8v1818nlE6mmtTsrZW7cgTQnQP1edr5QWczixntzzbpmlWz1u29ZH wpNN9Awkhz6V5kHx9L6upJxa+LVFwDJvMA0Zbj4A4CTfAp/k+w8ptKztTIS7NfauBHwj hXlItZ2q5pOQV2Ri1DjVEIm7rG4NdwfP6h7Lq0d4ZpxQcMBtVB8ZM5fCAoSWMnDgaH27 ZEu4K7BgFdeSBygramq1Vtp12mK9S7gKGITycBjJdIVeQ86KYTFMDFiPy265lvC7r4TU S7Eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=wRhuW7GIpGAkITGVlBsmL9TEM8uzNd10mb6hChyRlZc=; b=ZgP9mTYEg1ybAxPYbAnvyJFONYomp2UEeYvigrFhKRhodIwp0OTRQTno/ZXB+aPXYb GZfxtT7cyAQD4sgSNLkuYWYhWT3AlFzRQePVPapX1o/5fZYqmeuTcRF1yhYGi1vdzdfD NZbim0tiMw8ZvHskeD29hls0SDU580/iv85QMX97+uFR0djLp+oTgXj2OBbwOAifF5T6 u55YSZI0V3rl5I9q0CsxAuNsKVrli2BuHZ7j1DEilf+MsBUCIy4jews//+pn2WxsYS3e bijLvEw2iDgko6TqS58fFG44U9UzUFJxQaEfQkmuk4XFPpSjhCfvVpBfBAKdW1y/n9kq dHTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LkLHPGmI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q7si12235621pfa.99.2018.12.17.15.08.59; Mon, 17 Dec 2018 15:09:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LkLHPGmI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733232AbeLQSNz (ORCPT + 99 others); Mon, 17 Dec 2018 13:13:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:50336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727627AbeLQSNz (ORCPT ); Mon, 17 Dec 2018 13:13:55 -0500 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8585C20675; Mon, 17 Dec 2018 18:13:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1545070434; bh=JvD/QoTIklCEw2Q2kwPHnVLWaDNfoScivZFjKlc5saY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LkLHPGmI9QY1ewwLnO2oagsx7eR+hDXaZEnzamFUDEOXQ+8BYHeRBxLkebdAuVS3D QAB+f5N7NMUERmSWA9rsUvzKS8sP69oyh9oB7XK8zPpih2NwZCV0GS37HbAq8FRPao 9HnbfdCibo9VhWHm9asyK6VeAaKY/D3JNGFNm8QY= From: Eric Biggers To: Linus Torvalds Cc: David Howells , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH RESEND] KEYS: fix parsing invalid pkey info string Date: Mon, 17 Dec 2018 10:12:44 -0800 Message-Id: <20181217181244.220052-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.20.0.405.gbc1bbc6f85-goog In-Reply-To: <20181128232019.GC131170@gmail.com> References: <20181128232019.GC131170@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers We need to check the return value of match_token() for Opt_err (-1) before doing anything with it. Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") Cc: David Howells Signed-off-by: Eric Biggers --- Hi Linus, please consider applying this patch. It's been ignored by the keyrings maintainer for a month and a half with multiple reminders. It fixes an easily reachable stack corruption in the new keyctl operations that were added in v4.20. It was immediately reached by syzbot even without any definitions for the new keyctls yet. security/keys/keyctl_pkey.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c index 783978842f13a..987fac8051d70 100644 --- a/security/keys/keyctl_pkey.c +++ b/security/keys/keyctl_pkey.c @@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params) if (*p == '\0' || *p == ' ' || *p == '\t') continue; token = match_token(p, param_keys, args); + if (token == Opt_err) + return -EINVAL; if (__test_and_set_bit(token, &token_mask)) return -EINVAL; q = args[0].from; -- 2.20.0.405.gbc1bbc6f85-goog