keys: Guard against null match function in keyring_search_aux()
The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_aux().
keyring_search() has a check for this, but request_keyring_and_link()
does not. Move the check into keyring_search_aux(), covering both of
them.
This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.
CVE-2017-2647 / CVE-2017-6951
Change-Id: If0d61b4621ee5407d9973e183ffebbac551f3713
Reported-by: Igor Redko <redkoi@virtuozzo.com>
Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
Reported-by: idl3r <idler1984@gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>
This commit is contained in:
Ben Hutchings
LuK1337
parent
b6e7473ffd
commit
2a3d5719b8
|
|
@ -350,6 +350,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
|
|||
if (keyring->type != &key_type_keyring)
|
||||
goto error;
|
||||
|
||||
if (!match)
|
||||
return ERR_PTR(-ENOKEY);
|
||||
|
||||
rcu_read_lock();
|
||||
|
||||
now = current_kernel_time();
|
||||
|
|
@ -513,9 +516,6 @@ key_ref_t keyring_search(key_ref_t keyring,
|
|||
struct key_type *type,
|
||||
const char *description)
|
||||
{
|
||||
if (!type->match)
|
||||
return ERR_PTR(-ENOKEY);
|
||||
|
||||
return keyring_search_aux(keyring, current->cred,
|
||||
type, description, type->match, false);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue