• David Howells's avatar
    KEYS: Fix handling of stored error in a negatively instantiated user key · 096fe9ea
    David Howells authored
    If a user key gets negatively instantiated, an error code is cached in the
    payload area.  A negatively instantiated key may be then be positively
    instantiated by updating it with valid data.  However, the ->update key
    type method must be aware that the error code may be there.
    
    The following may be used to trigger the bug in the user key type:
    
        keyctl request2 user user "" @u
        keyctl add user user "a" @u
    
    which manifests itself as:
    
    	BUG: unable to handle kernel paging request at 00000000ffffff8a
    	IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
    	PGD 7cc30067 PUD 0
    	Oops: 0002 [#1] SMP
    	Modules linked in:
    	CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
    	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    	task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
    	RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
    	 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
    	RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
    	RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
    	RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
    	RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
    	R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
    	R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
    	FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
    	CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    	CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
    	Stack:
    	 ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
    	 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
    	 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
    	Call Trace:
    	 [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
    	 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
    	 [<     inline     >] __key_update security/keys/key.c:730
    	 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
    	 [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
    	 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
    	 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
    
    Note the error code (-ENOKEY) in EDX.
    
    A similar bug can be tripped by:
    
        keyctl request2 trusted user "" @u
        keyctl add trusted user "a" @u
    
    This should also affect encrypted keys - but that has to be correctly
    parameterised or it will fail with EINVAL before getting to the bit that
    will crashes.
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    096fe9ea
encrypted.c 26.2 KB