[PATCH 0/3] keys: fix keyring assoc-array out-of-bounds read and index inconsistency
Michael Bommarito
michael.bommarito at gmail.com
Sun Jul 12 01:44:57 UTC 2026
keyring_get_key_chunk() advances the description read pointer by
level * sizeof(long) past the inline prefix but only bounds-checks the
prefix, so once the associative-array walk reaches a description-level
chunk it reads past the kmemdup(desc, desc_len + 1) description
allocation. Reaching that depth needs two keys that collide through the
hash, x, type and domain_tag chunks, which an unprivileged add_key(2)
can arrange with a crafted pair of same-type keys.
An unprivileged user can thus read up to sizeof(long) bytes past a
keyring key's description; on kernels built without init-on-alloc the
same collision, read back with KEYCTL_READ, returns uninitialized kernel
slab.
Patch 1 is the memory-safety fix and stands alone. Patches 2 and 3 fix
two index-key consistency bugs that let the crafted keys collide into a
single malformed node in the first place, which is what enables the
KEYCTL_READ disclosure.
The KASAN reproduction is on patch 1. Trigger is available off-list.
Michael Bommarito (3):
keys: fix out-of-bounds read in keyring_get_key_chunk()
keys: make keyring key-chunk byte order agree with
keyring_diff_objects()
assoc_array: trim the final shortcut word when skip_to_level is
chunk-aligned
lib/assoc_array.c | 2 +-
security/keys/keyring.c | 15 ++++++++-------
2 files changed, 9 insertions(+), 8 deletions(-)
base-commit: 2c7c88a412aa6d09cd04b414211b4ef8553b5309
--
2.53.0
More information about the Linux-security-module-archive
mailing list