Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp1336803ybj; Fri, 20 Sep 2019 08:51:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZ9/+JyT2KO6RBgKs3fkXSd1e7qeyARDt+qYPPYVmU3yn4lSSN2/jL9VZMaKPs+oRTWMtC X-Received: by 2002:a17:906:15d8:: with SMTP id l24mr8010034ejd.239.1568994694499; Fri, 20 Sep 2019 08:51:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568994694; cv=none; d=google.com; s=arc-20160816; b=sAgjfbA8hexM0JuF/hYQ1Y2tA2SzNh4EMHN0LCQLouzND1q3bXW+qK+jD1lAtVkQF4 O66kXArkoy6b0Mckc5mD1mNhpoiVzpfeZ4QFltVj5DYdEkS3CzygeWR/m3OR0bDd0B+a oLd5ksJJrMMOI+VWd9Ni4/XveMt4lD/vekhyRYpzLsjdvddIwQfscBBNqktpXi2lSUk6 rfvoDGS8exrnS46Xqc8WW6aPtfsvIIJYOFODTzFFuhdFAKWaoLWk6Y6YxEap6Mu6+jCw NUxtsh8NCM1F5qz8NQk9rri3GYZBa4lunpYrIpw8l63J/eXIOnkuD+kemfAeeQwNckRL pboQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JSCBi6OBJM7RFymrXu+CcycTbGY0R8PnSF4FI7jer7s=; b=tuSN+S+P+wdXrugSPkYzQAuEmrqYFN7S6ugAFLa2RevzXhgZNrtSSA17FnFGuY8Eae ssPP08nQTDAsnXj2k6k7a64qHPH53RtFeqqpldQdCNtcSdbsO5rZRQwY3fn5jn7ULfIL vZ3Hw5CYrVdB+osJSGAYNrwaA3NyTZ0Qwe+aDURnkjwgdIP148tfV0qDUn/JxIcJelgy aJR2550ZAMTwumFUy8LLjWfp/0wEijyftOLdv/LKgJ62mMNO4E9mDcAJV07BLp0KFmL7 RMT7I4eGwV/G52BllHPdrBaVc8Fq7279ysP/Rzu0iBJfwURLbqnDR8WDFTakkuDW7O8t Iwaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M7vvQILr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e22si1686710eda.300.2019.09.20.08.51.10; Fri, 20 Sep 2019 08:51:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M7vvQILr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407056AbfISWXx (ORCPT + 99 others); Thu, 19 Sep 2019 18:23:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:39664 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407051AbfISWXs (ORCPT ); Thu, 19 Sep 2019 18:23:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A660021924; Thu, 19 Sep 2019 22:23:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568931827; bh=mvLCPdH8ks+yBxxce7wpWGFYX0C27A1EL9Rft6B6j8A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M7vvQILrpPBKBgRZViwTKXq64aBota73G9rzenz3HZiEbviRrkXKQdOxDUHFOdTEO zAZ8hw6pudoEj2IcQvX7NmQyNrSd20R1NlQZlyeKdZa8NcypDYjgaT0+F30H7FF+kX iC2zxo4RTDSfjYQ/ZnpkwLupkY0cXLmX7tNsrUmY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sachin Sant , Hillf Danton , David Howells , Linus Torvalds , Sasha Levin Subject: [PATCH 4.4 53/56] keys: Fix missing null pointer check in request_key_auth_describe() Date: Fri, 20 Sep 2019 00:04:34 +0200 Message-Id: <20190919214804.840929881@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190919214742.483643642@linuxfoundation.org> References: <20190919214742.483643642@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hillf Danton [ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ] If a request_key authentication token key gets revoked, there's a window in which request_key_auth_describe() can see it with a NULL payload - but it makes no check for this and something like the following oops may occur: BUG: Kernel NULL pointer dereference at 0x00000038 Faulting instruction address: 0xc0000000004ddf30 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [...] request_key_auth_describe+0x90/0xd0 LR [...] request_key_auth_describe+0x54/0xd0 Call Trace: [...] request_key_auth_describe+0x54/0xd0 (unreliable) [...] proc_keys_show+0x308/0x4c0 [...] seq_read+0x3d0/0x540 [...] proc_reg_read+0x90/0x110 [...] __vfs_read+0x3c/0x70 [...] vfs_read+0xb4/0x1b0 [...] ksys_read+0x7c/0x130 [...] system_call+0x5c/0x70 Fix this by checking for a NULL pointer when describing such a key. Also make the read routine check for a NULL pointer to be on the safe side. [DH: Modified to not take already-held rcu lock and modified to also check in the read routine] Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key") Reported-by: Sachin Sant Signed-off-by: Hillf Danton Signed-off-by: David Howells Tested-by: Sachin Sant Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- security/keys/request_key_auth.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 8882b729924dd..976deea0569e3 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key, { struct request_key_auth *rka = key->payload.data[0]; + if (!rka) + return; + seq_puts(m, "key:"); seq_puts(m, key->description); if (key_is_positive(key)) @@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key, size_t datalen; long ret; + if (!rka) + return -EKEYREVOKED; + datalen = rka->callout_len; ret = datalen; -- 2.20.1