Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1018814pxb;
        Wed, 6 Apr 2022 06:52:27 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwmlcBq9kp9av0CjWBZp9OW84y76LOk5sOWLZtEBGr+5irzKDSs4yIHbsmrUoWjCiFhbsKi
X-Received: by 2002:a17:902:e846:b0:154:3d19:c5ae with SMTP id t6-20020a170902e84600b001543d19c5aemr8703828plg.87.1649253146920;
        Wed, 06 Apr 2022 06:52:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649253146; cv=none;
        d=google.com; s=arc-20160816;
        b=C5ph7ilxk5dKfXPgiLi7x9ICVDKJzXblqAchx8IVvBkX0a9hn9CEJwaRy6qdjbmNYl
         64AO5QKkEOZJ86inam9PZf21erleYnk4dXTqdThmPQynWB3uiJM/F9ZmA3XqLp3yFTYr
         pZ1pTLNBcc+ahfOPHTtRU/OceuklNPTfEAsckcyfryTPLJfODi8z7KFGYGvN0ydobFBk
         3QKqHieO1mDrjMnnnxsE+yevVxduFcMt501B8yqVQSpCMQt2VPYelIKAUbzkBq6STWk2
         cky3BM1JTBbF71539XpR+LFsZllrU8pI8pY5aFWjbGQFM00vgRF1zBS9aLRKAvqKi85A
         2JTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=As4w45yORY2o7vgYv8jgjbU0FXUe3ZJyOm1dQhoLLuo=;
        b=CM66aYgXo9IBLGpp8PqlffSOaL13RbVwx/8TRmsF4bgiO+PNE+CdbGSDR9RbiJZEBD
         7GxfbUCfCN1WFufY7mueFTJLc9Xnvvi+hk2HctvPR7/FB7GCGQJhvCfsXUDyZ/9hu87g
         Kt09vSOLKlXT1L5Zo0yYHEVLq8NKEJoFf1nP2O4crLugJcPBjJYlOYFampQcSEzYAOhV
         4x3jVGWhBLUivO+cSSY4g3QTu8NkjaB0S69QSIW05iqbvnMqMzOipAtowiC3g1tB+a8G
         9iw8RRW9ILlynZQqJekOD8KUf7pKlbNtDjevKKaBsNpMcjZEMq9Iu9pcepmyJaPoo/wM
         r71A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u6mnLnfl;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id t187-20020a6378c4000000b00386275ee890si16201096pgc.343.2022.04.06.06.52.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 06:52:26 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u6mnLnfl;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id E6B8C4B1940;
	Wed,  6 Apr 2022 04:46:53 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1451642AbiDEWaU (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 18:30:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51348 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1354910AbiDEKQe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 06:16:34 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F110A1FA51;
        Tue,  5 Apr 2022 03:03:55 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 73CA7616E7;
        Tue,  5 Apr 2022 10:03:55 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 81EA7C385A2;
        Tue,  5 Apr 2022 10:03:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649153034;
        bh=Utz1YvWbSMLmkIEVCdwmAdUPQ3ARE9UXbQLDcRmNtww=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=u6mnLnflMgYOpHbfwO542++oFAmV0hP+s6VQffMDnuTCzm5S50dwsEoi/ZSrDQz6I
         wKSujfg15VddflY670zBoOloaE8foesJuEmwmUJnxpY39oI4kYZfqAf4kwHLHNcZD4
         pcLpLCsuVMEvef5uJQ1F/c+Rk7XyUJMInr1xHaMA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 5.10 040/599] KEYS: fix length validation in keyctl_pkey_params_get_2()
Date:   Tue,  5 Apr 2022 09:25:34 +0200
Message-Id: <20220405070300.019395113@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070258.802373272@linuxfoundation.org>
References: <20220405070258.802373272@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream.

In many cases, keyctl_pkey_params_get_2() is validating the user buffer
lengths against the wrong algorithm properties.  Fix it to check against
the correct properties.

Probably this wasn't noticed before because for all asymmetric keys of
the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
== max_dec_size.  However, this isn't necessarily true for the
"asym_tpm" subtype (it should be, but it's not strictly validated).  Of
course, future key types could have different values as well.

Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/keys/keyctl_pkey.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons
 
 	switch (op) {
 	case KEYCTL_PKEY_ENCRYPT:
+		if (uparams.in_len  > info.max_dec_size ||
+		    uparams.out_len > info.max_enc_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_DECRYPT:
 		if (uparams.in_len  > info.max_enc_size ||
 		    uparams.out_len > info.max_dec_size)
 			return -EINVAL;
 		break;
 	case KEYCTL_PKEY_SIGN:
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.out_len > info.max_sig_size)
+			return -EINVAL;
+		break;
 	case KEYCTL_PKEY_VERIFY:
-		if (uparams.in_len  > info.max_sig_size ||
-		    uparams.out_len > info.max_data_size)
+		if (uparams.in_len  > info.max_data_size ||
+		    uparams.in2_len > info.max_sig_size)
 			return -EINVAL;
 		break;
 	default:
@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons
 	}
 
 	params->in_len  = uparams.in_len;
-	params->out_len = uparams.out_len;
+	params->out_len = uparams.out_len; /* Note: same as in2_len */
 	return 0;
 }