lib/digsig: fix dereference of NULL user_key_payload

BugLink: http://bugs.launchpad.net/bugs/1729107 commit 192cabd6 upstream. digsig_verify() requests a user key, then accesses its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. Fixes: 051dbb91 ("crypto: digital signature verification support") Reviewed-by: James Morris <james.l.morris@oracle.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

lib/digsig: fix dereference of NULL user_key_payload
BugLink: http://bugs.launchpad.net/bugs/1729107 commit 192cabd6 upstream. digsig_verify() requests a user key, then accesses its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. Fixes: 051dbb91 ("crypto: digital signature verification support") Reviewed-by: James Morris <james.l.morris@oracle.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3acdc3e8 · Eric Biggers · Thadeu Lima de Souza Cascardo · b2ba9c8a · 3acdc3e8
Commit 3acdc3e8 authored Oct 09, 2017 by Eric Biggers Committed by Thadeu Lima de Souza Cascardo Nov 01, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

lib/digsig.c lib/digsig.c +6 -0

No files found.
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key *key,
 	down_read(&key->sem);
 	ukp = user_key_payload(key);

+	if (!ukp) {
+		/* key was revoked before we acquired its semaphore */
+		err = -EKEYREVOKED;
+		goto err1;
+	}
+
 	if (ukp->datalen < sizeof(*pkh))
 		goto err1;