Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3194254imu;
        Mon, 17 Dec 2018 15:14:22 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Vr/v/6IkCotfDSIDOTCHJGnCVhZTautGBorO7TV2p6EUsb6yTFd6l4VV7Tkm0Hk4HqLxTt
X-Received: by 2002:a17:902:9a41:: with SMTP id x1mr14207651plv.126.1545088462791;
        Mon, 17 Dec 2018 15:14:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545088462; cv=none;
        d=google.com; s=arc-20160816;
        b=MahqC5CiygI0DWcyLlSh5vzQGZZfWmRW+8Yvlr8QW4+Nmccib+6V870zYYems6HjXC
         nUctDBkpqKtIC9RR+/oEV8TlkUQFAAbf75oRtBsdgD5Vznup+FOX4uGPXbyHmDfePZc4
         Icj2q9y8iiLdXNZ26rNK4GbiND0wOjedKuqsevxGhAQl3FZnU1pZkfLflM4NeNXLj5JM
         Vs6C0AoRwWGAuCu9xGYbXam6/oD+UgWfEe3s1MDv3eiCuKE6+fWwN9mpm0wMxlT4J4v9
         6WhMeI4x8DXMmnv9hEgdo2yqzDTF0IvhVYA1uX3j+Mogh2gqih67tMbgTtq3grxzVnm5
         qtSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=QJ5UZOLwv1yUvtold2LMz2hBHZwYA3bbBp1oD+GMYPs=;
        b=sZ3TltW4gUE3cPY/4ku1ZKMZYlX0/hAI3RqTTsCuwnt8xEQCkMhzVj/epjIinB3nU9
         ybKpQerQcqLOOYUr1XajUbg3NX2Y25kwljPAinP2fPaDvjUL1n3ZyZ9wDbcsA0FUBW5S
         yvLg3ImWOHwDTXKHv9Ozz5lpGQBtq0xLOw1Vx3KH9hWxvHM4PhjgCZNn9USuT+9O6OLE
         XqA/4adwyLzov8DspkFAU4TFGVX6uuZrimRUVq2hRYdSd9cQBMGj7u7KbNUC7nfu5d61
         IaJfDmWUULidnkYf9CVoXDTeOLkINkugtC/loloMeKxtTuqzCsofXIXlL2WNJbiLgOJz
         wsgg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b="el/lwQT9";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y27si10427701pga.459.2018.12.17.15.14.07;
        Mon, 17 Dec 2018 15:14:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b="el/lwQT9";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389153AbeLQSnz (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Mon, 17 Dec 2018 13:43:55 -0500
Received: from mail-lf1-f65.google.com ([209.85.167.65]:42554 "EHLO
        mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726653AbeLQSny (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Dec 2018 13:43:54 -0500
Received: by mail-lf1-f65.google.com with SMTP id l10so10222512lfh.9
        for <linux-kernel@vger.kernel.org>; Mon, 17 Dec 2018 10:43:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QJ5UZOLwv1yUvtold2LMz2hBHZwYA3bbBp1oD+GMYPs=;
        b=el/lwQT9dAAAgZetUHNS9cZk5WaBVHPYMrhSo5jBzXpg+UOBR+Fg3j/H8025eT+evp
         kYkAkXzS6MGdjfEjb0Jyqq0dX6gPOrQoDKktZVlqQHJZcbVFW1DO/ZNE2JNmT4YUZP7N
         6CJaoXCVqvWRRs6tTFkldSzu2uMa0ESvfjiqk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QJ5UZOLwv1yUvtold2LMz2hBHZwYA3bbBp1oD+GMYPs=;
        b=UqjTqRqhCqsh54B/xgQXnPiBMxgN5yXb2sEt41E0jqP3B8fsjQXh02hdTeCErMxHRG
         Gj74vXyrCY4t9HbC84iXj5+zQeikaEc4ipaUPzffvScgG/ITmaNDYUG12sLXxdmzUnJh
         2DdXziYk/uKQcMhpwFfYJPEywi7aRYRwxDiJ7reOR+ECqxnDrKkDbqi+pTrl2RwK1Kq1
         htcQxYDZTYavPO9tuc2Jys8pSnCFCyobmf+RpBZPgn8zES6T7u+4yZ1RF3Ax/fAPcXM8
         NbzeepoJe++eN8shS7Tf7sTigkHrF2vz7DvybYk/uA1dz5oF4NzgdB8ATbjs0ABWMxvu
         oqUA==
X-Gm-Message-State: AA+aEWakyym7lLGsXXyY7kyb52GBNmvc2KFS8RxrMLGESQrBMcgvj4sI
        RziB6Z8Dbqso1jiR/lHGQittI97e5To=
X-Received: by 2002:a19:d381:: with SMTP id k123mr8361282lfg.101.1545072232267;
        Mon, 17 Dec 2018 10:43:52 -0800 (PST)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com. [209.85.208.177])
        by smtp.gmail.com with ESMTPSA id z6sm2764026lfa.87.2018.12.17.10.43.50
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 17 Dec 2018 10:43:51 -0800 (PST)
Received: by mail-lj1-f177.google.com with SMTP id x85-v6so11954331ljb.2
        for <linux-kernel@vger.kernel.org>; Mon, 17 Dec 2018 10:43:50 -0800 (PST)
X-Received: by 2002:a2e:9983:: with SMTP id w3-v6mr8972213lji.133.1545072230566;
 Mon, 17 Dec 2018 10:43:50 -0800 (PST)
MIME-Version: 1.0
References: <20181128232019.GC131170@gmail.com> <20181217181244.220052-1-ebiggers@kernel.org>
In-Reply-To: <20181217181244.220052-1-ebiggers@kernel.org>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon, 17 Dec 2018 10:43:34 -0800
X-Gmail-Original-Message-ID: <CAHk-=whmh8WdcKHdYjioJNjyeewv=fO1H0hxXqDh6kiX0YvzmQ@mail.gmail.com>
Message-ID: <CAHk-=whmh8WdcKHdYjioJNjyeewv=fO1H0hxXqDh6kiX0YvzmQ@mail.gmail.com>
Subject: Re: [PATCH RESEND] KEYS: fix parsing invalid pkey info string
To:     ebiggers@kernel.org, James Morris James Morris <jmorris@namei.org>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        Peter Huewe <peterhuewe@gmx.de>
Cc:     David Howells <dhowells@redhat.com>, keyrings@vger.kernel.org,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Dec 17, 2018 at 10:13 AM Eric Biggers <ebiggers@kernel.org> wrote:
>
> Hi Linus, please consider applying this patch.  It's been ignored by the
> keyrings maintainer for a month and a half with multiple reminders.  It
> fixes an easily reachable stack corruption in the new keyctl operations
> that were added in v4.20.  It was immediately reached by syzbot even
> without any definitions for the new keyctls yet.

The getoptions() code in security/keys/trusted.c has exactly the same
buggy pattern, and seems to actually be the source of that idiocy.

Mind fixing that one too and getting rid of this incorrect code entirely?

Also, maybe the right fix is to do the "check for duplicate tokens"
only *after* all the other validation (ie after the switch())?

Or maybe just remove it entirely, since it's clearly entirely
incorrect from the very start.

Finally, the code was actually originally introduced in commit
5208cc83423d ("keys, trusted: fix: *do not* allow duplicate key
options"), this second place you found is just pattern matching from
that original garbage, that was acked and "reviewed" by several
people. The fix should have that clarification. Commit 00d60fd3b932
wasn't the _origin_ of this bug, even if it made a copy of it.

Looking around, nobody else has picked up that incorrect pattern.

                   Linus