Home Home > GIT Browse > SLE15-SP1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2017-04-01 04:55:18 +0100
committerBen Hutchings <ben@decadent.org.uk>2017-04-04 22:21:57 +0100
commitc53ee259ad3da891e191dee7af119af340f9c01b (patch)
tree61ff73b22ff531699e4edd3110133fef9393149e
parent880366a6e2ef182c37b7c7317dc6d449f625b97d (diff)
keys: Guard against null match function in keyring_search_aux()
The "dead" key type has no match operation, and a search for keys of this type can cause a null dereference in keyring_search_iterator(). keyring_search() has a check for this, but request_keyring_and_link() does not. Move the check into keyring_search_aux(), covering both of them. This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove key_type::match in favour of overriding default by match_preparse"), part of a series of large changes that are not suitable for backporting. CVE-2017-2647 / CVE-2017-6951 Reported-by: Igor Redko <redkoi@virtuozzo.com> Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com> References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647 Reported-by: idl3r <idler1984@gmail.com> References: https://www.spinics.net/lists/keyrings/msg01845.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: David Howells <dhowells@redhat.com>
-rw-r--r--security/keys/keyring.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 860345cb05f1..796256db1004 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -848,6 +848,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
return ERR_PTR(err);
}
+ if (!ctx->match)
+ return ERR_PTR(-ENOKEY);
+
rcu_read_lock();
ctx->now = current_kernel_time();
if (search_nested_keyrings(keyring, ctx))
@@ -879,9 +882,6 @@ key_ref_t keyring_search(key_ref_t keyring,
KEYRING_SEARCH_DO_STATE_CHECK),
};
- if (!ctx.match)
- return ERR_PTR(-ENOKEY);
-
return keyring_search_aux(keyring, &ctx);
}
EXPORT_SYMBOL(keyring_search);