Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d312c003 authored by Eric Biggers's avatar Eric Biggers Committed by Greg Kroah-Hartman
Browse files

KEYS: fix length validation in keyctl_pkey_params_get_2() 



commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream.

In many cases, keyctl_pkey_params_get_2() is validating the user buffer
lengths against the wrong algorithm properties.  Fix it to check against
the correct properties.

Probably this wasn't noticed before because for all asymmetric keys of
the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
== max_dec_size.  However, this isn't necessarily true for the
"asym_tpm" subtype (it should be, but it's not strictly validated).  Of
course, future key types could have different values as well.

Fixes: 00d60fd3 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 2458ecd2

security/keys/keyctl_pkey.c

+11 −3
Original line number Diff line number Diff line
@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par 


	switch (op) {

	case KEYCTL_PKEY_ENCRYPT:

		if (uparams.in_len  > info.max_dec_size ||

		    uparams.out_len > info.max_enc_size)

			return -EINVAL;

		break;

	case KEYCTL_PKEY_DECRYPT:

		if (uparams.in_len  > info.max_enc_size ||

		    uparams.out_len > info.max_dec_size)

			return -EINVAL;

		break;

	case KEYCTL_PKEY_SIGN:

		if (uparams.in_len  > info.max_data_size ||

		    uparams.out_len > info.max_sig_size)

			return -EINVAL;

		break;

	case KEYCTL_PKEY_VERIFY:

		if (uparams.in_len  > info.max_sig_size ||

		    uparams.out_len > info.max_data_size)

		if (uparams.in_len  > info.max_data_size ||

		    uparams.in2_len > info.max_sig_size)

			return -EINVAL;

		break;

	default:
@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par 
	}



	params->in_len  = uparams.in_len;

	params->out_len = uparams.out_len;

	params->out_len = uparams.out_len; /* Note: same as in2_len */

	return 0;

}