Commit f58a0815 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by James Morris

lib/digsig: additional sanity checks against badly formated key payload

Added sanity checks for possible wrongly formatted key payload data:
- minimum key payload size
- zero modulus length
- corrected upper key payload boundary.
Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
Reviewed-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent bc95eead
...@@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key, ...@@ -105,6 +105,10 @@ static int digsig_verify_rsa(struct key *key,
down_read(&key->sem); down_read(&key->sem);
ukp = key->payload.data; ukp = key->payload.data;
if (ukp->datalen < sizeof(*pkh))
goto err1;
pkh = (struct pubkey_hdr *)ukp->data; pkh = (struct pubkey_hdr *)ukp->data;
if (pkh->version != 1) if (pkh->version != 1)
...@@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key, ...@@ -117,7 +121,7 @@ static int digsig_verify_rsa(struct key *key,
goto err1; goto err1;
datap = pkh->mpi; datap = pkh->mpi;
endp = datap + ukp->datalen; endp = ukp->data + ukp->datalen;
for (i = 0; i < pkh->nmpi; i++) { for (i = 0; i < pkh->nmpi; i++) {
unsigned int remaining = endp - datap; unsigned int remaining = endp - datap;
...@@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key, ...@@ -128,7 +132,8 @@ static int digsig_verify_rsa(struct key *key,
mblen = mpi_get_nbits(pkey[0]); mblen = mpi_get_nbits(pkey[0]);
mlen = (mblen + 7)/8; mlen = (mblen + 7)/8;
err = -ENOMEM; if (mlen == 0)
goto err;
out1 = kzalloc(mlen, GFP_KERNEL); out1 = kzalloc(mlen, GFP_KERNEL);
if (!out1) if (!out1)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment