Merge branch 'fixes-v4.14-rc7' of...

Merge branch 'fixes-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull key handling fixes from James Morris: "Fixes for the Keys subsystem by Eric Biggers" * 'fixes-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: KEYS: fix out-of-bounds read during ASN.1 parsing KEYS: trusted: fix writing past end of buffer in trusted_read() KEYS: return full count in keyring_read() if buffer is too small

Merge branch 'fixes-v4.14-rc7' of...
Merge branch 'fixes-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull key handling fixes from James Morris: "Fixes for the Keys subsystem by Eric Biggers" * 'fixes-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: KEYS: fix out-of-bounds read during ASN.1 parsing KEYS: trusted: fix writing past end of buffer in trusted_read() KEYS: return full count in keyring_read() if buffer is too small
6965f1aa · Linus Torvalds · e78c38f6 · 2eb9eabf · 6965f1aa · 6965f1aa
Commit 6965f1aa authored Nov 02, 2017 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 31 deletions

lib/asn1_decoder.c lib/asn1_decoder.c +3 -0

security/keys/keyring.c security/keys/keyring.c +19 -20

security/keys/trusted.c security/keys/trusted.c +12 -11

No files found.
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -284,6 +284,9 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
 				if (unlikely(len > datalen - dp))
 					goto data_overrun_error;
 			}
+		} else {
+			if (unlikely(len > datalen - dp))
+				goto data_overrun_error;
 		}
 		if (flags & FLAG_CONS) {

--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -459,34 +459,33 @@ static long keyring_read(const struct key *keyring,
 			 char __user *buffer, size_t buflen)
 {
 	struct keyring_read_iterator_context ctx;
-	unsigned long nr_keys;
+	long ret;
-	int ret;
 	kenter("{%d},,%zu", key_serial(keyring), buflen);
 	if (buflen & (sizeof(key_serial_t) - 1))
 		return -EINVAL;
-	nr_keys = keyring->keys.nr_leaves_on_tree;
+	/* Copy as many key IDs as fit into the buffer */
-	if (nr_keys == 0)
+	if (buffer && buflen) {
-		return 0;
+		ctx.buffer = (key_serial_t __user *)buffer;
+		ctx.buflen = buflen;
-	/* Calculate how much data we could return */
+		ctx.count = 0;
-	if (!buffer || !buflen)
+		ret = assoc_array_iterate(&keyring->keys,
-		return nr_keys * sizeof(key_serial_t);
+					  keyring_read_iterator, &ctx);
+		if (ret < 0) {
-	/* Copy the IDs of the subscribed keys into the buffer */
+			kleave(" = %ld [iterate]", ret);
-	ctx.buffer = (key_serial_t __user *)buffer;
+			return ret;
-	ctx.buflen = buflen;
+		}
-	ctx.count = 0;
-	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
-	if (ret < 0) {
-		kleave(" = %d [iterate]", ret);
-		return ret;
 	}
-	kleave(" = %zu [ok]", ctx.count);
+	/* Return the size of the buffer needed */
-	return ctx.count;
+	ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
+	if (ret <= buflen)
+		kleave("= %ld [ok]", ret);
+	else
+		kleave("= %ld [buffer too small]", ret);
+	return ret;
 }
 /*

--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1147,20 +1147,21 @@ static long trusted_read(const struct key *key, char __user *buffer,
 	p = dereference_key_locked(key);
 	if (!p)
 		return -EINVAL;
-	if (!buffer || buflen <= 0)
-		return 2 * p->blob_len;
-	ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
-	if (!ascii_buf)
-		return -ENOMEM;
-	bufp = ascii_buf;
+	if (buffer && buflen >= 2 * p->blob_len) {
-	for (i = 0; i < p->blob_len; i++)
+		ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
-		bufp = hex_byte_pack(bufp, p->blob[i]);
+		if (!ascii_buf)
-	if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
+			return -ENOMEM;
+		bufp = ascii_buf;
+		for (i = 0; i < p->blob_len; i++)
+			bufp = hex_byte_pack(bufp, p->blob[i]);
+		if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+			kzfree(ascii_buf);
+			return -EFAULT;
+		}
 		kzfree(ascii_buf);
-		return -EFAULT;
 	}
-	kzfree(ascii_buf);
 	return 2 * p->blob_len;
 }