Commit e2b41f76 authored by Ben Hutchings's avatar Ben Hutchings

keys: Guard against null match function in keyring_search_aux()

The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_aux().
keyring_search() has a check for this, but request_keyring_and_link()
does not.  Move the check into keyring_search_aux(), covering both of
them.

This was fixed upstream by commit c06cfb08 ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.

CVE-2017-2647 / CVE-2017-6951
Reported-by: default avatarIgor Redko <redkoi@virtuozzo.com>
Reported-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647Reported-by: default avataridl3r <idler1984@gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.htmlSigned-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>
parent 2147a170
......@@ -336,6 +336,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
if (keyring->type != &key_type_keyring)
goto error;
if (!match)
return ERR_PTR(-ENOKEY);
rcu_read_lock();
now = current_kernel_time();
......@@ -484,9 +487,6 @@ key_ref_t keyring_search(key_ref_t keyring,
struct key_type *type,
const char *description)
{
if (!type->match)
return ERR_PTR(-ENOKEY);
return keyring_search_aux(keyring, current->cred,
type, description, type->match, false);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment