releases/3.18.78/lib-digsig-fix-dereference-of-null-user_key_payload.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001
 From: Eric Biggers <ebiggers@google.com>
 Date: Mon, 9 Oct 2017 12:43:20 -0700
 Subject: lib/digsig: fix dereference of NULL user_key_payload

 From: Eric Biggers <ebiggers@google.com>

 commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.

 digsig_verify() requests a user key, then accesses its payload.
 However, a revoked key has a NULL payload, and we failed to check for
 this.  request_key() *does* skip revoked keys, but there is still a
 window where the key can be revoked before we acquire its semaphore.

 Fix it by checking for a NULL payload, treating it like a key which was
 already revoked at the time it was requested.

 Fixes: 051dbb918c7f ("crypto: digital signature verification support")
 Reviewed-by: James Morris <james.l.morris@oracle.com>
 Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
 Signed-off-by: Eric Biggers <ebiggers@google.com>
 Signed-off-by: David Howells <dhowells@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  lib/digsig.c |    6 ++++++
  1 file changed, 6 insertions(+)

 --- a/lib/digsig.c
 +++ b/lib/digsig.c
 @@ -86,6 +86,12 @@ static int digsig_verify_rsa(struct key
  	down_read(&key->sem);
  	ukp = key->payload.data;

 +	if (!ukp) {
 +		/* key was revoked before we acquired its semaphore */
 +		err = -EKEYREVOKED;
 +		goto err1;
 +	}
 +
  	if (ukp->datalen < sizeof(*pkh))
  		goto err1;
	From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001
	From: Eric Biggers <ebiggers@google.com>
	Date: Mon, 9 Oct 2017 12:43:20 -0700
	Subject: lib/digsig: fix dereference of NULL user_key_payload

	From: Eric Biggers <ebiggers@google.com>

	commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.

	digsig_verify() requests a user key, then accesses its payload.
	However, a revoked key has a NULL payload, and we failed to check for
	this. request_key() does skip revoked keys, but there is still a
	window where the key can be revoked before we acquire its semaphore.

	Fix it by checking for a NULL payload, treating it like a key which was
	already revoked at the time it was requested.

	Fixes: 051dbb918c7f ("crypto: digital signature verification support")
	Reviewed-by: James Morris <james.l.morris@oracle.com>
	Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
	Signed-off-by: Eric Biggers <ebiggers@google.com>
	Signed-off-by: David Howells <dhowells@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	lib/digsig.c \| 6 ++++++
	1 file changed, 6 insertions(+)

	--- a/lib/digsig.c
	+++ b/lib/digsig.c
	@@ -86,6 +86,12 @@ static int digsig_verify_rsa(struct key
	down_read(&key->sem);
	ukp = key->payload.data;

	+ if (!ukp) {
	+ /* key was revoked before we acquired its semaphore */
	+ err = -EKEYREVOKED;
	+ goto err1;
	+ }
	+
	if (ukp->datalen < sizeof(*pkh))
	goto err1;