Merge tag 'keys-fixes-20200329' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

+1 -1

include/keys/big_key-type.h

··· 17 17 extern void big_key_revoke(struct key *key); 18 18 extern void big_key_destroy(struct key *key); 19 19 extern void big_key_describe(const struct key *big_key, struct seq_file *m); 20 - extern long big_key_read(const struct key *key, char __user *buffer, size_t buflen); 20 + extern long big_key_read(const struct key *key, char *buffer, size_t buflen); 21 21 22 22 #endif /* _KEYS_BIG_KEY_TYPE_H */

+1 -2

include/keys/user-type.h

··· 41 41 extern void user_revoke(struct key *key); 42 42 extern void user_destroy(struct key *key); 43 43 extern void user_describe(const struct key *user, struct seq_file *m); 44 - extern long user_read(const struct key *key, 45 - char __user *buffer, size_t buflen); 44 + extern long user_read(const struct key *key, char *buffer, size_t buflen); 46 45 47 46 static inline const struct user_key_payload *user_key_payload_rcu(const struct key *key) 48 47 {

+1 -1

include/linux/key-type.h

··· 127 127 * much is copied into the buffer 128 128 * - shouldn't do the copy if the buffer is NULL 129 129 */ 130 - long (*read)(const struct key *key, char __user *buffer, size_t buflen); 130 + long (*read)(const struct key *key, char *buffer, size_t buflen); 131 131 132 132 /* handle request_key() for this type instead of invoking 133 133 * /sbin/request-key (optional)

+1 -1

net/dns_resolver/dns_key.c

··· 302 302 * - the key's semaphore is read-locked 303 303 */ 304 304 static long dns_resolver_read(const struct key *key, 305 - char __user *buffer, size_t buflen) 305 + char *buffer, size_t buflen) 306 306 { 307 307 int err = PTR_ERR(key->payload.data[dns_key_error]); 308 308

+9 -18

net/rxrpc/key.c

··· 31 31 static void rxrpc_destroy(struct key *); 32 32 static void rxrpc_destroy_s(struct key *); 33 33 static void rxrpc_describe(const struct key *, struct seq_file *); 34 - static long rxrpc_read(const struct key *, char __user *, size_t); 34 + static long rxrpc_read(const struct key *, char *, size_t); 35 35 36 36 /* 37 37 * rxrpc defined keys take an arbitrary string as the description and an ··· 1042 1042 * - this returns the result in XDR form 1043 1043 */ 1044 1044 static long rxrpc_read(const struct key *key, 1045 - char __user *buffer, size_t buflen) 1045 + char *buffer, size_t buflen) 1046 1046 { 1047 1047 const struct rxrpc_key_token *token; 1048 1048 const struct krb5_principal *princ; 1049 1049 size_t size; 1050 - __be32 __user *xdr, *oldxdr; 1050 + __be32 *xdr, *oldxdr; 1051 1051 u32 cnlen, toksize, ntoks, tok, zero; 1052 1052 u16 toksizes[AFSTOKEN_MAX]; 1053 1053 int loop; ··· 1124 1124 if (!buffer || buflen < size) 1125 1125 return size; 1126 1126 1127 - xdr = (__be32 __user *) buffer; 1127 + xdr = (__be32 *)buffer; 1128 1128 zero = 0; 1129 1129 #define ENCODE(x) \ 1130 1130 do { \ 1131 - __be32 y = htonl(x); \ 1132 - if (put_user(y, xdr++) < 0) \ 1133 - goto fault; \ 1131 + *xdr++ = htonl(x); \ 1134 1132 } while(0) 1135 1133 #define ENCODE_DATA(l, s) \ 1136 1134 do { \ 1137 1135 u32 _l = (l); \ 1138 1136 ENCODE(l); \ 1139 - if (copy_to_user(xdr, (s), _l) != 0) \ 1140 - goto fault; \ 1141 - if (_l & 3 && \ 1142 - copy_to_user((u8 __user *)xdr + _l, &zero, 4 - (_l & 3)) != 0) \ 1143 - goto fault; \ 1137 + memcpy(xdr, (s), _l); \ 1138 + if (_l & 3) \ 1139 + memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ 1144 1140 xdr += (_l + 3) >> 2; \ 1145 1141 } while(0) 1146 1142 #define ENCODE64(x) \ 1147 1143 do { \ 1148 1144 __be64 y = cpu_to_be64(x); \ 1149 - if (copy_to_user(xdr, &y, 8) != 0) \ 1150 - goto fault; \ 1145 + memcpy(xdr, &y, 8); \ 1151 1146 xdr += 8 >> 2; \ 1152 1147 } while(0) 1153 1148 #define ENCODE_STR(s) \ ··· 1233 1238 ASSERTCMP((char __user *) xdr - buffer, ==, size); 1234 1239 _leave(" = %zu", size); 1235 1240 return size; 1236 - 1237 - fault: 1238 - _leave(" = -EFAULT"); 1239 - return -EFAULT; 1240 1241 }

+4 -7

security/keys/big_key.c

··· 352 352 * read the key data 353 353 * - the key's semaphore is read-locked 354 354 */ 355 - long big_key_read(const struct key *key, char __user *buffer, size_t buflen) 355 + long big_key_read(const struct key *key, char *buffer, size_t buflen) 356 356 { 357 357 size_t datalen = (size_t)key->payload.data[big_key_len]; 358 358 long ret; ··· 391 391 392 392 ret = datalen; 393 393 394 - /* copy decrypted data to user */ 395 - if (copy_to_user(buffer, buf->virt, datalen) != 0) 396 - ret = -EFAULT; 394 + /* copy out decrypted data */ 395 + memcpy(buffer, buf->virt, datalen); 397 396 398 397 err_fput: 399 398 fput(file); ··· 400 401 big_key_free_buffer(buf); 401 402 } else { 402 403 ret = datalen; 403 - if (copy_to_user(buffer, key->payload.data[big_key_data], 404 - datalen) != 0) 405 - ret = -EFAULT; 404 + memcpy(buffer, key->payload.data[big_key_data], datalen); 406 405 } 407 406 408 407 return ret;

+3 -4

security/keys/encrypted-keys/encrypted.c

··· 902 902 } 903 903 904 904 /* 905 - * encrypted_read - format and copy the encrypted data to userspace 905 + * encrypted_read - format and copy out the encrypted data 906 906 * 907 907 * The resulting datablob format is: 908 908 * <master-key name> <decrypted data length> <encrypted iv> <encrypted data> 909 909 * 910 910 * On success, return to userspace the encrypted key datablob size. 911 911 */ 912 - static long encrypted_read(const struct key *key, char __user *buffer, 912 + static long encrypted_read(const struct key *key, char *buffer, 913 913 size_t buflen) 914 914 { 915 915 struct encrypted_key_payload *epayload; ··· 957 957 key_put(mkey); 958 958 memzero_explicit(derived_key, sizeof(derived_key)); 959 959 960 - if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0) 961 - ret = -EFAULT; 960 + memcpy(buffer, ascii_buf, asciiblob_len); 962 961 kzfree(ascii_buf); 963 962 964 963 return asciiblob_len;

+12

security/keys/internal.h

··· 16 16 #include <linux/keyctl.h> 17 17 #include <linux/refcount.h> 18 18 #include <linux/compat.h> 19 + #include <linux/mm.h> 20 + #include <linux/vmalloc.h> 19 21 20 22 struct iovec; 21 23 ··· 351 349 352 350 #endif 353 351 352 + /* 353 + * Helper function to clear and free a kvmalloc'ed memory object. 354 + */ 355 + static inline void __kvzfree(const void *addr, size_t len) 356 + { 357 + if (addr) { 358 + memset((void *)addr, 0, len); 359 + kvfree(addr); 360 + } 361 + } 354 362 #endif /* _INTERNAL_H */

+87 -18

security/keys/keyctl.c

··· 339 339 payload = NULL; 340 340 if (plen) { 341 341 ret = -ENOMEM; 342 - payload = kmalloc(plen, GFP_KERNEL); 342 + payload = kvmalloc(plen, GFP_KERNEL); 343 343 if (!payload) 344 344 goto error; 345 345 ··· 360 360 361 361 key_ref_put(key_ref); 362 362 error2: 363 - kzfree(payload); 363 + __kvzfree(payload, plen); 364 364 error: 365 365 return ret; 366 366 } ··· 798 798 } 799 799 800 800 /* 801 + * Call the read method 802 + */ 803 + static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen) 804 + { 805 + long ret; 806 + 807 + down_read(&key->sem); 808 + ret = key_validate(key); 809 + if (ret == 0) 810 + ret = key->type->read(key, buffer, buflen); 811 + up_read(&key->sem); 812 + return ret; 813 + } 814 + 815 + /* 801 816 * Read a key's payload. 802 817 * 803 818 * The key must either grant the caller Read permission, or it must grant the ··· 827 812 struct key *key; 828 813 key_ref_t key_ref; 829 814 long ret; 815 + char *key_data = NULL; 816 + size_t key_data_len; 830 817 831 818 /* find the key first */ 832 819 key_ref = lookup_user_key(keyid, 0, 0); 833 820 if (IS_ERR(key_ref)) { 834 821 ret = -ENOKEY; 835 - goto error; 822 + goto out; 836 823 } 837 824 838 825 key = key_ref_to_ptr(key_ref); 839 826 840 827 ret = key_read_state(key); 841 828 if (ret < 0) 842 - goto error2; /* Negatively instantiated */ 829 + goto key_put_out; /* Negatively instantiated */ 843 830 844 831 /* see if we can read it directly */ 845 832 ret = key_permission(key_ref, KEY_NEED_READ); 846 833 if (ret == 0) 847 834 goto can_read_key; 848 835 if (ret != -EACCES) 849 - goto error2; 836 + goto key_put_out; 850 837 851 838 /* we can't; see if it's searchable from this process's keyrings 852 839 * - we automatically take account of the fact that it may be ··· 856 839 */ 857 840 if (!is_key_possessed(key_ref)) { 858 841 ret = -EACCES; 859 - goto error2; 842 + goto key_put_out; 860 843 } 861 844 862 845 /* the key is probably readable - now try to read it */ 863 846 can_read_key: 864 - ret = -EOPNOTSUPP; 865 - if (key->type->read) { 866 - /* Read the data with the semaphore held (since we might sleep) 867 - * to protect against the key being updated or revoked. 868 - */ 869 - down_read(&key->sem); 870 - ret = key_validate(key); 871 - if (ret == 0) 872 - ret = key->type->read(key, buffer, buflen); 873 - up_read(&key->sem); 847 + if (!key->type->read) { 848 + ret = -EOPNOTSUPP; 849 + goto key_put_out; 874 850 } 875 851 876 - error2: 852 + if (!buffer || !buflen) { 853 + /* Get the key length from the read method */ 854 + ret = __keyctl_read_key(key, NULL, 0); 855 + goto key_put_out; 856 + } 857 + 858 + /* 859 + * Read the data with the semaphore held (since we might sleep) 860 + * to protect against the key being updated or revoked. 861 + * 862 + * Allocating a temporary buffer to hold the keys before 863 + * transferring them to user buffer to avoid potential 864 + * deadlock involving page fault and mmap_sem. 865 + * 866 + * key_data_len = (buflen <= PAGE_SIZE) 867 + * ? buflen : actual length of key data 868 + * 869 + * This prevents allocating arbitrary large buffer which can 870 + * be much larger than the actual key length. In the latter case, 871 + * at least 2 passes of this loop is required. 872 + */ 873 + key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; 874 + for (;;) { 875 + if (key_data_len) { 876 + key_data = kvmalloc(key_data_len, GFP_KERNEL); 877 + if (!key_data) { 878 + ret = -ENOMEM; 879 + goto key_put_out; 880 + } 881 + } 882 + 883 + ret = __keyctl_read_key(key, key_data, key_data_len); 884 + 885 + /* 886 + * Read methods will just return the required length without 887 + * any copying if the provided length isn't large enough. 888 + */ 889 + if (ret <= 0 || ret > buflen) 890 + break; 891 + 892 + /* 893 + * The key may change (unlikely) in between 2 consecutive 894 + * __keyctl_read_key() calls. In this case, we reallocate 895 + * a larger buffer and redo the key read when 896 + * key_data_len < ret <= buflen. 897 + */ 898 + if (ret > key_data_len) { 899 + if (unlikely(key_data)) 900 + __kvzfree(key_data, key_data_len); 901 + key_data_len = ret; 902 + continue; /* Allocate buffer */ 903 + } 904 + 905 + if (copy_to_user(buffer, key_data, ret)) 906 + ret = -EFAULT; 907 + break; 908 + } 909 + __kvzfree(key_data, key_data_len); 910 + 911 + key_put_out: 877 912 key_put(key); 878 - error: 913 + out: 879 914 return ret; 880 915 } 881 916

+1 -5

security/keys/keyring.c

··· 459 459 { 460 460 struct keyring_read_iterator_context *ctx = data; 461 461 const struct key *key = keyring_ptr_to_key(object); 462 - int ret; 463 462 464 463 kenter("{%s,%d},,{%zu/%zu}", 465 464 key->type->name, key->serial, ctx->count, ctx->buflen); ··· 466 467 if (ctx->count >= ctx->buflen) 467 468 return 1; 468 469 469 - ret = put_user(key->serial, ctx->buffer); 470 - if (ret < 0) 471 - return ret; 472 - ctx->buffer++; 470 + *ctx->buffer++ = key->serial; 473 471 ctx->count += sizeof(key->serial); 474 472 return 0; 475 473 }

+3 -4

security/keys/request_key_auth.c

··· 22 22 static void request_key_auth_describe(const struct key *, struct seq_file *); 23 23 static void request_key_auth_revoke(struct key *); 24 24 static void request_key_auth_destroy(struct key *); 25 - static long request_key_auth_read(const struct key *, char __user *, size_t); 25 + static long request_key_auth_read(const struct key *, char *, size_t); 26 26 27 27 /* 28 28 * The request-key authorisation key type definition. ··· 80 80 * - the key's semaphore is read-locked 81 81 */ 82 82 static long request_key_auth_read(const struct key *key, 83 - char __user *buffer, size_t buflen) 83 + char *buffer, size_t buflen) 84 84 { 85 85 struct request_key_auth *rka = dereference_key_locked(key); 86 86 size_t datalen; ··· 97 97 if (buflen > datalen) 98 98 buflen = datalen; 99 99 100 - if (copy_to_user(buffer, rka->callout_info, buflen) != 0) 101 - ret = -EFAULT; 100 + memcpy(buffer, rka->callout_info, buflen); 102 101 } 103 102 104 103 return ret;

+2 -12

security/keys/trusted-keys/trusted_tpm1.c

··· 1130 1130 * trusted_read - copy the sealed blob data to userspace in hex. 1131 1131 * On success, return to userspace the trusted key datablob size. 1132 1132 */ 1133 - static long trusted_read(const struct key *key, char __user *buffer, 1133 + static long trusted_read(const struct key *key, char *buffer, 1134 1134 size_t buflen) 1135 1135 { 1136 1136 const struct trusted_key_payload *p; 1137 - char *ascii_buf; 1138 1137 char *bufp; 1139 1138 int i; 1140 1139 ··· 1142 1143 return -EINVAL; 1143 1144 1144 1145 if (buffer && buflen >= 2 * p->blob_len) { 1145 - ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL); 1146 - if (!ascii_buf) 1147 - return -ENOMEM; 1148 - 1149 - bufp = ascii_buf; 1146 + bufp = buffer; 1150 1147 for (i = 0; i < p->blob_len; i++) 1151 1148 bufp = hex_byte_pack(bufp, p->blob[i]); 1152 - if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) { 1153 - kzfree(ascii_buf); 1154 - return -EFAULT; 1155 - } 1156 - kzfree(ascii_buf); 1157 1149 } 1158 1150 return 2 * p->blob_len; 1159 1151 }

+2 -3

security/keys/user_defined.c

··· 168 168 * read the key data 169 169 * - the key's semaphore is read-locked 170 170 */ 171 - long user_read(const struct key *key, char __user *buffer, size_t buflen) 171 + long user_read(const struct key *key, char *buffer, size_t buflen) 172 172 { 173 173 const struct user_key_payload *upayload; 174 174 long ret; ··· 181 181 if (buflen > upayload->datalen) 182 182 buflen = upayload->datalen; 183 183 184 - if (copy_to_user(buffer, upayload->data, buflen) != 0) 185 - ret = -EFAULT; 184 + memcpy(buffer, upayload->data, buflen); 186 185 } 187 186 188 187 return ret;