| From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001 |
| From: Eric Biggers <ebiggers@google.com> |
| Date: Mon, 9 Oct 2017 12:43:20 -0700 |
| Subject: lib/digsig: fix dereference of NULL user_key_payload |
| |
| From: Eric Biggers <ebiggers@google.com> |
| |
| commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream. |
| |
| digsig_verify() requests a user key, then accesses its payload. |
| However, a revoked key has a NULL payload, and we failed to check for |
| this. request_key() *does* skip revoked keys, but there is still a |
| window where the key can be revoked before we acquire its semaphore. |
| |
| Fix it by checking for a NULL payload, treating it like a key which was |
| already revoked at the time it was requested. |
| |
| Fixes: 051dbb918c7f ("crypto: digital signature verification support") |
| Reviewed-by: James Morris <james.l.morris@oracle.com> |
| Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com> |
| Signed-off-by: Eric Biggers <ebiggers@google.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| lib/digsig.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/lib/digsig.c |
| +++ b/lib/digsig.c |
| @@ -86,6 +86,12 @@ static int digsig_verify_rsa(struct key |
| down_read(&key->sem); |
| ukp = key->payload.data; |
| |
| + if (!ukp) { |
| + /* key was revoked before we acquired its semaphore */ |
| + err = -EKEYREVOKED; |
| + goto err1; |
| + } |
| + |
| if (ukp->datalen < sizeof(*pkh)) |
| goto err1; |
| |