KEYS: always initialize keyring_index_key::desc_len

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
called from construct_alloc_key() during sys_request_key(), because the
length of the key description was never calculated.

The problem is that we rely on ->desc_len being initialized by
search_process_keyrings(), specifically by search_nested_keyrings().
But, if the process isn't subscribed to any keyrings that never happens.

Fix it by always initializing keyring_index_key::desc_len as soon as the
description is set, like we already do in some places.

The following program reproduces the BUG_ON() when it's run as root and
no session keyring has been installed. If it doesn't work, try removing
pam_keyinit.so from /etc/pam.d/login and rebooting.

#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>

int main(void)
{
int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);

keyctl_setperm(id, KEY_OTH_WRITE);
setreuid(5000, 5000);
request_key("user", "desc", "", id);
}

Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.morris@microsoft.com>

authored by

Eric Biggers and committed by

James Morris 7 years ago ede0fa98 cc1780fc

+4 -6

4 changed files

expand all

security

keys

keyring.c

proc.c

request_key.c

request_key_auth.c

+1 -3

security/keys/keyring.c

··· 661 661 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 662 662 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 663 663 664 - if (ctx->index_key.description) 665 - ctx->index_key.desc_len = strlen(ctx->index_key.description); 666 - 667 664 /* Check to see if this top-level keyring is what we are looking for 668 665 * and whether it is valid or not. 669 666 */ ··· 911 914 struct keyring_search_context ctx = { 912 915 .index_key.type = type, 913 916 .index_key.description = description, 917 + .index_key.desc_len = strlen(description), 914 918 .cred = current_cred(), 915 919 .match_data.cmp = key_default_cmp, 916 920 .match_data.raw_data = description,

+1 -2

security/keys/proc.c

··· 165 165 int rc; 166 166 167 167 struct keyring_search_context ctx = { 168 - .index_key.type = key->type, 169 - .index_key.description = key->description, 168 + .index_key = key->index_key, 170 169 .cred = m->file->f_cred, 171 170 .match_data.cmp = lookup_user_key_possessed, 172 171 .match_data.raw_data = key,

security/keys/request_key.c

··· 531 531 struct keyring_search_context ctx = { 532 532 .index_key.type = type, 533 533 .index_key.description = description, 534 + .index_key.desc_len = strlen(description), 534 535 .cred = current_cred(), 535 536 .match_data.cmp = key_default_cmp, 536 537 .match_data.raw_data = description,

+1 -1

security/keys/request_key_auth.c

··· 247 247 struct key *authkey; 248 248 key_ref_t authkey_ref; 249 249 250 - sprintf(description, "%x", target_id); 250 + ctx.index_key.desc_len = sprintf(description, "%x", target_id); 251 251 252 252 authkey_ref = search_process_keyrings(&ctx); 253 253

Configure Feed

Configure Feed