[PATCH 0/7] Fix dereferencing payload of revoked keys
Eric Biggers
ebiggers3 at gmail.com
Thu Sep 28 21:25:55 UTC 2017
From: Eric Biggers <ebiggers at google.com>
This series fixes the various users of the keyrings service that access
a "user" or "logon" key's payload without first checking whether the
payload pointer is NULL, or calling key_validate() while holding the key
semaphore. Without one of these two checks, a NULL pointer dereference
will occur if the key has been revoked concurrently. Usually this is
pretty easy to reproduce (in most of the cases even as an unprivileged
user), although it may be unlikely to happen by accident.
Patch 6 also fixes the lack of key length validation in ecryptfs.
These fixes probably will need to be split up between a few different
maintainers, but initially I'm sending the full series so that people
can see the full context of the fixes.
Eric Biggers (7):
KEYS: encrypted: fix dereference of NULL user_key_payload
FS-Cache: fix dereference of NULL user_key_payload
lib/digsig: fix dereference of NULL user_key_payload
fscrypt: fix dereference of NULL user_key_payload
ecryptfs: fix dereference of NULL user_key_payload
ecryptfs: fix out-of-bounds read of key payload
ecryptfs: move key payload accessor functions into keystore.c
fs/crypto/keyinfo.c | 5 +++
fs/ecryptfs/ecryptfs_kernel.h | 44 -------------------
fs/ecryptfs/keystore.c | 73 +++++++++++++++++++++++++++++++-
fs/fscache/object-list.c | 7 +++
lib/digsig.c | 6 +++
security/keys/encrypted-keys/encrypted.c | 7 +++
6 files changed, 97 insertions(+), 45 deletions(-)
--
2.14.2.822.g60be5d43e6-goog
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list