| From 4f9dabfaf8df971f8a3b6aa324f8f817be38d538 Mon Sep 17 00:00:00 2001 |
| From: Eric Biggers <ebiggers@google.com> |
| Date: Thu, 13 Jul 2017 13:16:56 +0100 |
| Subject: KEYS: DH: validate __spare field |
| |
| From: Eric Biggers <ebiggers@google.com> |
| |
| commit 4f9dabfaf8df971f8a3b6aa324f8f817be38d538 upstream. |
| |
| Syscalls must validate that their reserved arguments are zero and return |
| EINVAL otherwise. Otherwise, it will be impossible to actually use them |
| for anything in the future because existing programs may be passing |
| garbage in. This is standard practice when adding new APIs. |
| |
| Signed-off-by: Eric Biggers <ebiggers@google.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: James Morris <james.l.morris@oracle.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/keys/compat_dh.c | 2 ++ |
| security/keys/dh.c | 5 +++++ |
| 2 files changed, 7 insertions(+) |
| |
| --- a/security/keys/compat_dh.c |
| +++ b/security/keys/compat_dh.c |
| @@ -33,6 +33,8 @@ long compat_keyctl_dh_compute(struct key |
| kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname); |
| kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo); |
| kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen; |
| + memcpy(kdfcopy.__spare, compat_kdfcopy.__spare, |
| + sizeof(kdfcopy.__spare)); |
| |
| return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); |
| } |
| --- a/security/keys/dh.c |
| +++ b/security/keys/dh.c |
| @@ -266,6 +266,11 @@ long __keyctl_dh_compute(struct keyctl_d |
| if (kdfcopy) { |
| char *hashname; |
| |
| + if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) { |
| + ret = -EINVAL; |
| + goto out1; |
| + } |
| + |
| if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || |
| kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { |
| ret = -EMSGSIZE; |