diff options
| author | Eric Biggers <ebiggers@google.com> | 2018-02-12 17:38:47 -0800 |
|---|---|---|
| committer | Ben Fennema <fennema@google.com> | 2018-04-05 11:27:25 -0700 |
| commit | 16bb9048351ae816edef7d8ae07f6b3469fa10bf (patch) | |
| tree | 030e6d4f3755327d479f17ddea0ebaaf024205a2 | |
| parent | e457e033a7be7cd699dcc26491a4febb8d58cbea (diff) | |
| download | mediatek-16bb9048351ae816edef7d8ae07f6b3469fa10bf.tar.gz | |
UPSTREAM: KEYS: encrypted: fix buffer overread in valid_master_desc()
With the 'encrypted' key type it was possible for userspace to provide a
data blob ending with a master key description shorter than expected,
e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a
master key description, validate_master_desc() could read beyond the end
of the buffer. Fix this by using strncmp() instead of memcmp(). [Also
clean up the code to deduplicate some logic.]
Cc: linux-stable <stable@vger.kernel.org> # 3.18.y
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Bug: 70526974
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Change-Id: I2cc3af94f855e66f2014dd1dced4425ed8a41f29
(cherry picked from commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add)
| -rw-r--r-- | security/keys/encrypted-keys/encrypted.c | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 9e1e005c7596..fabb763bba14 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc) */ static int valid_master_desc(const char *new_desc, const char *orig_desc) { - if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) - goto out; - } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_USER_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) - goto out; - } else - goto out; + int prefix_len; + + if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) + prefix_len = KEY_TRUSTED_PREFIX_LEN; + else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) + prefix_len = KEY_USER_PREFIX_LEN; + else + return -EINVAL; + + if (!new_desc[prefix_len]) + return -EINVAL; + + if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) + return -EINVAL; + return 0; -out: - return -EINVAL; } /* |