2017-12-18 11:09:23

by Li Kun

[permalink] [raw]
Subject: [PATCH] crypto: af_alg - add keylen checking to avoid NULL ptr passing down

alg_setkey do not check the keylen whether it is zero, so the key
may be ZERO_SIZE_PTR when keylen is 0, which will pass the
copy_from_user's checking and be passed to the lower functions as key.

If the lower functions only check the key if it is NULL, ZERO_SIZE_PTR
will pass the checking, and will cause null ptr dereference, so it's
better to intercept the invalid parameters in the upper functions.

This patch is also suitable to fix CVE-2017-15116 for stable trees.

Signed-off-by: Li Kun <[email protected]>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 337cf38..10f22f3 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -210,6 +210,8 @@ static int alg_setkey(struct sock *sk, char __user *ukey,
u8 *key;
int err;

+ if (!keylen)
+ return -EINVAL;
key = sock_kmalloc(sk, keylen, GFP_KERNEL);
if (!key)
return -ENOMEM;
--
1.8.3.4


2017-12-18 12:00:17

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] crypto: af_alg - add keylen checking to avoid NULL ptr passing down

On Mon, Dec 18, 2017 at 11:09:23AM +0000, Li Kun wrote:
> alg_setkey do not check the keylen whether it is zero, so the key
> may be ZERO_SIZE_PTR when keylen is 0, which will pass the
> copy_from_user's checking and be passed to the lower functions as key.
>
> If the lower functions only check the key if it is NULL, ZERO_SIZE_PTR
> will pass the checking, and will cause null ptr dereference, so it's
> better to intercept the invalid parameters in the upper functions.
>
> This patch is also suitable to fix CVE-2017-15116 for stable trees.
>
> Signed-off-by: Li Kun <[email protected]>
> ---
> crypto/af_alg.c | 2 ++
> 1 file changed, 2 insertions(+)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

2017-12-18 13:34:05

by Li Kun

[permalink] [raw]
Subject: Re: [PATCH] crypto: af_alg - add keylen checking to avoid NULL ptr passing down



在 2017/12/18 20:00, Greg KH 写道:
> On Mon, Dec 18, 2017 at 11:09:23AM +0000, Li Kun wrote:
>> alg_setkey do not check the keylen whether it is zero, so the key
>> may be ZERO_SIZE_PTR when keylen is 0, which will pass the
>> copy_from_user's checking and be passed to the lower functions as key.
>>
>> If the lower functions only check the key if it is NULL, ZERO_SIZE_PTR
>> will pass the checking, and will cause null ptr dereference, so it's
>> better to intercept the invalid parameters in the upper functions.
>>
>> This patch is also suitable to fix CVE-2017-15116 for stable trees.
>>
>> Signed-off-by: Li Kun <[email protected]>
>> ---
>> crypto/af_alg.c | 2 ++
>> 1 file changed, 2 insertions(+)
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree. Please read:
> https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
sorry, i will resend this patch with "Cc: [email protected]"
>
> </formletter>

--
Best Regards
Li Kun