Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp627358pxb;
        Tue, 5 Apr 2022 16:27:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwOqh+hadppMaqzGC9tKSoOC1I1Rnhj9dBlK1TA4m80qgfJrL22uWg/R9/WixM/wyuNXt3l
X-Received: by 2002:a17:90a:728f:b0:1c9:dbf2:591b with SMTP id e15-20020a17090a728f00b001c9dbf2591bmr6814953pjg.172.1649201267088;
        Tue, 05 Apr 2022 16:27:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649201267; cv=none;
        d=google.com; s=arc-20160816;
        b=I3LWlc8/cbrdmFFBYyVvTUPHDObE+dPLZqyPWBCZrUoSLT1s4NqgsVkpOx7QgJMsOz
         gtOVla0qhIHA9hkozNjAoh3zUxpYYcSCaREUhGnsa1hhhz9uzsHjD+iViha+6pwA6Vte
         pIu0z8iA3/Qi4pfTKPp/+mcf6yJ+s8pHHjRH+pAygP9akMxlZZu1BqxzvjICB7lcOTNv
         8DCbSTD3hTCpUGS0mZelKT0NCNXEsMT1hK/SMTP76hsDLNUR7nzqxBb23XtNkMfNIqns
         cxzXmphO+/g71ifBesDThoNy+TcELCmcbeHeVxvgU4D2HQqusGvDuHTbZ/Mh52QS3JwB
         7LUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=As4w45yORY2o7vgYv8jgjbU0FXUe3ZJyOm1dQhoLLuo=;
        b=eD8arWMMbgn7Hyg8zojuWAF7uS16XakH5zaPa9xLGfmV3WqYPJvlqQ7VPvSF66lw/j
         bjAdtZ1ZyEE22Y0ZUzVlGzEasUJG/a5aU/IeStJ70pA4OCMvtZ6R0B4LpbaljuOK/fBc
         WRo80zmf7pScQx77PnFE+ZQVQYJ3d9IXzD+CcWlWIV4b9X+BQwoYpXSQVdo6FHWGbrA4
         Whgho5IzI0BrO14+NHRsbVuebtLoPxxHtkeBD1nkJP05ccZ/G5/od+p5fqK+YiaQDKrD
         spzIkXsYHRWNuMqxWz5cok83C8Zk5ZpPRx6ZaiHG32HDYaUsIubxydHfGcsrheDYsVee
         eFbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=S5OMWqFR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id u4-20020a170902e5c400b00156a0c53168si7659831plf.624.2022.04.05.16.27.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Apr 2022 16:27:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=S5OMWqFR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id EDBC9EA37B;
	Tue,  5 Apr 2022 16:11:19 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346164AbiDELBM (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Tue, 5 Apr 2022 07:01:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58462 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235492AbiDEIjy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 04:39:54 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A72DE0BC;
        Tue,  5 Apr 2022 01:33:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 2820961470;
        Tue,  5 Apr 2022 08:33:29 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3AFFFC385A0;
        Tue,  5 Apr 2022 08:33:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649147608;
        bh=Utz1YvWbSMLmkIEVCdwmAdUPQ3ARE9UXbQLDcRmNtww=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=S5OMWqFRmxc8aHMy0ke3NKB9/R2C/1iafke27AAkWM2qVy08dyFDGkmwSkERmJCuX
         ekG2A433K3w1NZTo1z9h8tdpY2HB8QLwlj72gjl8voA6ficXwBrtIv+tf0fJz1PYLH
         eMJBvJu+mKGkQWuVbOu+XwJacnEvIP3em8f0N6cU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 5.16 0057/1017] KEYS: fix length validation in keyctl_pkey_params_get_2()
Date:   Tue,  5 Apr 2022 09:16:10 +0200
Message-Id: <20220405070355.877315289@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070354.155796697@linuxfoundation.org>
References: <20220405070354.155796697@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream.

In many cases, keyctl_pkey_params_get_2() is validating the user buffer
lengths against the wrong algorithm properties.  Fix it to check against
the correct properties.

Probably this wasn't noticed before because for all asymmetric keys of
the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
== max_dec_size.  However, this isn't necessarily true for the
"asym_tpm" subtype (it should be, but it's not strictly validated).  Of
course, future key types could have different values as well.

Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/keys/keyctl_pkey.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons
 
 	switch (op) {
 	case KEYCTL_PKEY_ENCRYPT:
+		if (uparams.in_len  > info.max_dec_size ||
+		    uparams.out_len > info.max_enc_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_DECRYPT:
 		if (uparams.in_len  > info.max_enc_size ||
 		    uparams.out_len > info.max_dec_size)
 			return -EINVAL;
 		break;
 	case KEYCTL_PKEY_SIGN:
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.out_len > info.max_sig_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_VERIFY:
-		if (uparams.in_len  > info.max_sig_size ||
-		    uparams.out_len > info.max_data_size)
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.in2_len > info.max_sig_size)
 			return -EINVAL;
 		break;
 	default:
@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons
 	}
 
 	params->in_len  = uparams.in_len;
-	params->out_len = uparams.out_len;
+	params->out_len = uparams.out_len; /* Note: same as in2_len */
 	return 0;
 }