keys: Guard against null match function in keyring_search_aux()

The "dead" key type has no match operation, and a search for keys of this type can cause a null dereference in keyring_search_aux(). keyring_search() has a check for this, but request_keyring_and_link() does not. Move the check into keyring_search_aux(), covering both of them. This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove key_type::match in favour of overriding default by match_preparse"), part of a series of large changes that are not suitable for backporting. CVE-2017-2647 / CVE-2017-6951 Change-Id: If0d61b4621ee5407d9973e183ffebbac551f3713 Reported-by: Igor Redko <redkoi@virtuozzo.com> Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com> References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647 Reported-by: idl3r <idler1984@gmail.com> References: https://www.spinics.net/lists/keyrings/msg01845.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: David Howells <dhowells@redhat.com>
2025-02-19 21:01:45 +00:00 · 2017-04-01 04:55:18 +01:00 · 2017-04-01 04:55:18 +01:00 · b765ecd025
commit b765ecd025
parent 68f51048a1
1 changed files with 3 additions and 3 deletions
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@ -350,6 +350,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
 	if (keyring->type != &key_type_keyring)
 		goto error;

+	if (!match)
+		return ERR_PTR(-ENOKEY);
+
 	rcu_read_lock();

 	now = current_kernel_time();
@ -513,9 +516,6 @@ key_ref_t keyring_search(key_ref_t keyring,
 			 struct key_type *type,
 			 const char *description)
 {
-	if (!type->match)
-		return ERR_PTR(-ENOKEY);
-
 	return keyring_search_aux(keyring, current->cred,
 				  type, description, type->match, false);
 }