forked from Minki/linux
096fe9eaea
If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. The following may be used to trigger the bug in the user key type: keyctl request2 user user "" @u keyctl add user user "a" @u which manifests itself as: BUG: unable to handle kernel paging request at 00000000ffffff8a IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046 PGD 7cc30067 PUD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000 RIP: 0010:[<ffffffff810a376f>] [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046 RSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246 RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001 RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82 RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82 R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700 FS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0 Stack: ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620 Call Trace: [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129 [< inline >] __key_update security/keys/key.c:730 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908 [< inline >] SYSC_add_key security/keys/keyctl.c:125 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185 Note the error code (-ENOKEY) in EDX. A similar bug can be tripped by: keyctl request2 trusted user "" @u keyctl add trusted user "a" @u This should also affect encrypted keys - but that has to be correctly parameterised or it will fail with EINVAL before getting to the bit that will crashes. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
225 lines
4.9 KiB
C
225 lines
4.9 KiB
C
/* user_defined.c: user defined key type
|
|
*
|
|
* Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/init.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/err.h>
|
|
#include <keys/user-type.h>
|
|
#include <asm/uaccess.h>
|
|
#include "internal.h"
|
|
|
|
static int logon_vet_description(const char *desc);
|
|
|
|
/*
|
|
* user defined keys take an arbitrary string as the description and an
|
|
* arbitrary blob of data as the payload
|
|
*/
|
|
struct key_type key_type_user = {
|
|
.name = "user",
|
|
.preparse = user_preparse,
|
|
.free_preparse = user_free_preparse,
|
|
.instantiate = generic_key_instantiate,
|
|
.update = user_update,
|
|
.revoke = user_revoke,
|
|
.destroy = user_destroy,
|
|
.describe = user_describe,
|
|
.read = user_read,
|
|
};
|
|
|
|
EXPORT_SYMBOL_GPL(key_type_user);
|
|
|
|
/*
|
|
* This key type is essentially the same as key_type_user, but it does
|
|
* not define a .read op. This is suitable for storing username and
|
|
* password pairs in the keyring that you do not want to be readable
|
|
* from userspace.
|
|
*/
|
|
struct key_type key_type_logon = {
|
|
.name = "logon",
|
|
.preparse = user_preparse,
|
|
.free_preparse = user_free_preparse,
|
|
.instantiate = generic_key_instantiate,
|
|
.update = user_update,
|
|
.revoke = user_revoke,
|
|
.destroy = user_destroy,
|
|
.describe = user_describe,
|
|
.vet_description = logon_vet_description,
|
|
};
|
|
EXPORT_SYMBOL_GPL(key_type_logon);
|
|
|
|
/*
|
|
* Preparse a user defined key payload
|
|
*/
|
|
int user_preparse(struct key_preparsed_payload *prep)
|
|
{
|
|
struct user_key_payload *upayload;
|
|
size_t datalen = prep->datalen;
|
|
|
|
if (datalen <= 0 || datalen > 32767 || !prep->data)
|
|
return -EINVAL;
|
|
|
|
upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
|
|
if (!upayload)
|
|
return -ENOMEM;
|
|
|
|
/* attach the data */
|
|
prep->quotalen = datalen;
|
|
prep->payload.data[0] = upayload;
|
|
upayload->datalen = datalen;
|
|
memcpy(upayload->data, prep->data, datalen);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(user_preparse);
|
|
|
|
/*
|
|
* Free a preparse of a user defined key payload
|
|
*/
|
|
void user_free_preparse(struct key_preparsed_payload *prep)
|
|
{
|
|
kfree(prep->payload.data[0]);
|
|
}
|
|
EXPORT_SYMBOL_GPL(user_free_preparse);
|
|
|
|
/*
|
|
* update a user defined key
|
|
* - the key's semaphore is write-locked
|
|
*/
|
|
int user_update(struct key *key, struct key_preparsed_payload *prep)
|
|
{
|
|
struct user_key_payload *upayload, *zap;
|
|
size_t datalen = prep->datalen;
|
|
int ret;
|
|
|
|
ret = -EINVAL;
|
|
if (datalen <= 0 || datalen > 32767 || !prep->data)
|
|
goto error;
|
|
|
|
/* construct a replacement payload */
|
|
ret = -ENOMEM;
|
|
upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
|
|
if (!upayload)
|
|
goto error;
|
|
|
|
upayload->datalen = datalen;
|
|
memcpy(upayload->data, prep->data, datalen);
|
|
|
|
/* check the quota and attach the new data */
|
|
zap = upayload;
|
|
|
|
ret = key_payload_reserve(key, datalen);
|
|
|
|
if (ret == 0) {
|
|
/* attach the new data, displacing the old */
|
|
if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
|
|
zap = key->payload.data[0];
|
|
else
|
|
zap = NULL;
|
|
rcu_assign_keypointer(key, upayload);
|
|
key->expiry = 0;
|
|
}
|
|
|
|
if (zap)
|
|
kfree_rcu(zap, rcu);
|
|
|
|
error:
|
|
return ret;
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(user_update);
|
|
|
|
/*
|
|
* dispose of the links from a revoked keyring
|
|
* - called with the key sem write-locked
|
|
*/
|
|
void user_revoke(struct key *key)
|
|
{
|
|
struct user_key_payload *upayload = key->payload.data[0];
|
|
|
|
/* clear the quota */
|
|
key_payload_reserve(key, 0);
|
|
|
|
if (upayload) {
|
|
rcu_assign_keypointer(key, NULL);
|
|
kfree_rcu(upayload, rcu);
|
|
}
|
|
}
|
|
|
|
EXPORT_SYMBOL(user_revoke);
|
|
|
|
/*
|
|
* dispose of the data dangling from the corpse of a user key
|
|
*/
|
|
void user_destroy(struct key *key)
|
|
{
|
|
struct user_key_payload *upayload = key->payload.data[0];
|
|
|
|
kfree(upayload);
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(user_destroy);
|
|
|
|
/*
|
|
* describe the user key
|
|
*/
|
|
void user_describe(const struct key *key, struct seq_file *m)
|
|
{
|
|
seq_puts(m, key->description);
|
|
if (key_is_instantiated(key))
|
|
seq_printf(m, ": %u", key->datalen);
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(user_describe);
|
|
|
|
/*
|
|
* read the key data
|
|
* - the key's semaphore is read-locked
|
|
*/
|
|
long user_read(const struct key *key, char __user *buffer, size_t buflen)
|
|
{
|
|
const struct user_key_payload *upayload;
|
|
long ret;
|
|
|
|
upayload = user_key_payload(key);
|
|
ret = upayload->datalen;
|
|
|
|
/* we can return the data as is */
|
|
if (buffer && buflen > 0) {
|
|
if (buflen > upayload->datalen)
|
|
buflen = upayload->datalen;
|
|
|
|
if (copy_to_user(buffer, upayload->data, buflen) != 0)
|
|
ret = -EFAULT;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(user_read);
|
|
|
|
/* Vet the description for a "logon" key */
|
|
static int logon_vet_description(const char *desc)
|
|
{
|
|
char *p;
|
|
|
|
/* require a "qualified" description string */
|
|
p = strchr(desc, ':');
|
|
if (!p)
|
|
return -EINVAL;
|
|
|
|
/* also reject description with ':' as first char */
|
|
if (p == desc)
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|