[PATCH 4.13 59/85] lib/digsig: fix dereference of NULL user_key_payload

[PATCH 4.13 00/85] 4.13.10-stable review · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 01/85] staging: bcm2835-audio: Fix memory corruption · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 02/85] USB: devio: Revert "USB: devio: Dont corrupt user memory" · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 13/85] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 14/85] parisc: Fix detection of nonsynchronous cr16 cycle counters · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 16/85] usb: musb: sunxi: Explicitly release USB PHY on exit · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 17/85] USB: musb: fix session-bit runtime-PM quirk · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 19/85] usb: musb: musb_cppi41: Fix the address of teardown and autoreq registers · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 20/85] usb: musb: musb_cppi41: Fix cppi41_set_dma_mode() for DA8xx · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 22/85] usb: musb: Check for host-mode using is_host_active() on reset interrupt · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 05/85] usb: cdc_acm: Add quirk for Elatec TWN3 · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 25/85] usb: xhci: Reset halted endpoint if trb is noop · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 26/85] usb: xhci: Handle error condition in xhci_stop_device() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 28/85] can: af_can: can_pernet_init(): add missing error handling for kzalloc returning NULL · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 29/85] can: flexcan: fix state transition regression · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 31/85] can: flexcan: implement error passive state quirk · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 32/85] can: flexcan: fix i.MX6 state transition issue · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 30/85] can: flexcan: rename legacy error state quirk · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 24/85] xhci: Cleanup current_cmd in xhci_cleanup_command_queue() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 23/85] xhci: Identify USB 3.1 capable hosts by their port protocol capability · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 21/85] usb: musb: musb_cppi41: Configure the number of channels for DA8xx · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 33/85] can: flexcan: fix i.MX28 state transition issue · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 34/85] can: flexcan: fix p1010 state transition issue · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 35/85] KEYS: encrypted: fix dereference of NULL user_key_payload · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 38/85] drm/nouveau/kms/nv50: fix oops during DP IRQ handling on non-MST boards · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 39/85] drm/nouveau/bsp/g92: disable by default · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 40/85] drm/nouveau/mmu: flush tlbs before deleting page tables · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 07/85] usb: hub: Allow reset retry for USB2 devices on connect bounce · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 09/85] can: gs_usb: fix busy loop if no more TX context is available · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 10/85] scsi: qla2xxx: Fix uninitialized work element · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 11/85] nbd: dont set the device size until were connected · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 42/85] media: cec: Respond to unregistered initiators, when applicable · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 51/85] Input: stmfts - fix setting ABS_MT_POSITION_* maximum size · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 53/85] brcmsmac: make some local variables static const to reduce stack size · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 52/85] brcmfmac: Add check for short event packets · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 55/85] bus: mbus: fix window size calculation for 4GB windows · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 57/85] rtlwifi: rtl8821ae: Fix connection lost problem · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 58/85] x86/microcode/intel: Disable late loading on model 79 · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 60/85] fscrypt: fix dereference of NULL user_key_payload · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 43/85] media: dvb: i2c transfers over usb cannot be done from stack · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 61/85] ecryptfs: fix dereference of NULL user_key_payload · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 62/85] KEYS: Fix race between updating and finding a negative key · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 63/85] FS-Cache: fix dereference of NULL user_key_payload · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 64/85] KEYS: dont let add_key() update an uninstantiated key · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 65/85] pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 59/85] lib/digsig: fix dereference of NULL user_key_payload · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 67/85] ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 68/85] iomap_dio_rw: Allocate AIO completion queue before submitting dio · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 69/85] xfs: dont unconditionally clear the reflink flag on zero-block files · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 70/85] xfs: evict CoW fork extents when performing finsert/fcollapse · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 44/85] tracing/samples: Fix creation and deletion of simple_thread_fn creation · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
Re: [PATCH 4.13 44/85] tracing/samples: Fix creation and deletion of simple_thread_fn creation · Steven Rostedt <rostedt@goodmis.org> · 2017-10-30
Re: [PATCH 4.13 44/85] tracing/samples: Fix creation and deletion of simple_thread_fn creation · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-30
[PATCH 4.13 71/85] fs/xfs: Use %pS printk format for direct addresses · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 72/85] xfs: report zeroed or not correctly in xfs_zero_range() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 74/85] xfs: perag initialization should only touch m_ag_max_usable for AG 0 · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 75/85] xfs: Capture state of the right inode in xfs_iflush_done · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 76/85] xfs: always swap the cow forks when swapping extents · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 77/85] xfs: handle racy AIO in xfs_reflink_end_cow · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 78/85] xfs: Dont log uninitialised fields in inode structures · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 79/85] xfs: move more RT specific code under CONFIG_XFS_RT · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 45/85] ALSA: seq: Enable use locking in all configurations · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 73/85] xfs: update i_size after unwritten conversion in dio completion · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 46/85] ALSA: hda: Remove superfluous - added by printk conversion · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 48/85] i2c: ismt: Separate I2C block read from SMBus block read · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 50/85] Revert "tools/power turbostat: stop migrating, unless -m" · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 81/85] xfs: reinit btree pointer on attr tree inactivation walk · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 82/85] xfs: handle error if xfs_btree_get_bufs fails · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 83/85] xfs: cancel dirty pages on invalidation · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 84/85] xfs: trim writepage mapping to within eof · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 85/85] xfs: move two more RT specific functions into CONFIG_XFS_RT · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
Re: [PATCH 4.13 85/85] xfs: move two more RT specific functions into CONFIG_XFS_RT · Arnd Bergmann <arnd@arndb.de> · 2017-10-25
Re: [PATCH 4.13 85/85] xfs: move two more RT specific functions into CONFIG_XFS_RT · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-26
[PATCH 4.13 80/85] xfs: dont change inode mode if ACL update fails · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 41/85] media: s5p-cec: add NACK detection support · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 47/85] ALSA: hda: Abort capability probe at invalid register read · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 66/85] arm64: dts: rockchip: correct vqmmc voltage for rk3399 platforms · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 56/85] clockevents/drivers/cs5535: Improve resilience to spurious interrupts · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 54/85] ARM: dts: sun6i: Fix endpoint IDs in second display pipeline · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 03/85] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 12/85] s390/cputime: fix guest/irq/softirq times after CPU hotplug · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 08/85] ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 36/85] mmc: sdhci-pci: Fix default d3_retune for Intel host controllers · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 18/85] USB: musb: fix late external abort on suspend · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 15/85] iio: dummy: events: Add missing break · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
[PATCH 4.13 04/85] USB: serial: metro-usb: add MS7820 device id · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-24
Re: [PATCH 4.13 00/85] 4.13.10-stable review · Guenter Roeck <linux@roeck-us.net> · 2017-10-24
Re: [PATCH 4.13 00/85] 4.13.10-stable review · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-10-25

STALE3158d REVIEWED: 1 (0M)

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2017-10-24 13:16:51
Also in: lkml

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <redacted>

commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.

digsig_verify() requests a user key, then accesses its payload.
However, a revoked key has a NULL payload, and we failed to check for
this.  request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 051dbb918c7f ("crypto: digital signature verification support")
Reviewed-by: James Morris <redacted>
Cc: Dmitry Kasatkin <redacted>
Signed-off-by: Eric Biggers <redacted>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/digsig.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/lib/digsig.c
+++ b/lib/digsig.c

@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key
 	down_read(&key->sem);
 	ukp = user_key_payload_locked(key);
 
+	if (!ukp) {
+		/* key was revoked before we acquired its semaphore */
+		err = -EKEYREVOKED;
+		goto err1;
+	}
+
 	if (ukp->datalen < sizeof(*pkh))
 		goto err1;

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help