[PATCH 5/7] ecryptfs: fix dereference of NULL user_key_payload

James Morris jmorris at namei.org
Tue Oct 3 11:01:21 UTC 2017


On Thu, 28 Sep 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers at google.com>
> 
> In eCryptfs, we failed to verify that the authentication token keys are
> not revoked before dereferencing their payloads, which is problematic
> because the payload of a revoked key is NULL.  request_key() *does* skip
> revoked keys, but there is still a window where the key can be revoked
> before we acquire the key semaphore.
> 
> Fix it by updating ecryptfs_get_key_payload_data() to return
> -EKEYREVOKED if the key payload is NULL.  For completeness we check this
> for "encrypted" keys as well as "user" keys, although encrypted keys
> cannot be revoked currently.
> 
> Alternatively we could use key_validate(), but since we'll also need to
> fix ecryptfs_get_key_payload_data() to validate the payload length, it
> seems appropriate to just check the payload pointer.
> 
> Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
> Cc: <stable at vger.kernel.org>    [v2.6.19+]
> Signed-off-by: Eric Biggers <ebiggers at google.com>

(A further cleanup might add some inline accessor functions for key data, 
but it's not necessary now).

Reviewed-by: James Morris <james.l.morris at oracle.com>

-- 
James Morris
<jmorris at namei.org>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list