www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Eric Biggers <ebiggers@google.com>
	Thu, 8 Jun 2017 13:48:40 +0000 (14:48 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Tue, 15 Aug 2017 04:24:28 +0000 (21:24 -0700)
commit	fd296bd210fd4621bc87a7f52153cf462a95e067
tree	151114f774efd635ad18029de1bb2a36b4737120	tree
parent	9595a5c8e74a0e97a7f399cb1bd95f1a0b489957	commit \| diff

KEYS: fix dereferencing NULL payload with nonzero length

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods. Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present. Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Cc: stable@vger.kernel.org # 2.6.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Orabug: 26591890
(cherry picked from commit 5649645d725c73df4302428ee4e02c869248b4c5)
Signed-off-by: Todd Vierling <todd.vierling@oracle.com>