• Eric Biggers's avatar
    KEYS: always initialize keyring_index_key::desc_len · 4b08addb
    Eric Biggers authored
    commit ede0fa98 upstream.
    
    syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
    called from construct_alloc_key() during sys_request_key(), because the
    length of the key description was never calculated.
    
    The problem is that we rely on ->desc_len being initialized by
    search_process_keyrings(), specifically by search_nested_keyrings().
    But, if the process isn't subscribed to any keyrings that never happens.
    
    Fix it by always initializing keyring_index_key::desc_len as soon as the
    description is set, like we already do in some places.
    
    The following program reproduces the BUG_ON() when it's run as root and
    no session keyring has been installed.  If it doesn't work, try removing
    pam_keyinit.so from /etc/pam.d/login and rebooting.
    
        #include <stdlib.h>
        #include <unistd.h>
        #include <keyutils.h>
    
        int main(void)
        {
                int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);
    
                keyctl_setperm(id, KEY_OTH_WRITE);
                setreuid(5000, 5000);
                request_key("user", "desc", "", id);
        }
    
    Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
    Fixes: b2a4df20 ("KEYS: Expand the capacity of a keyring")
    Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarJames Morris <james.morris@microsoft.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    4b08addb
Name
Last commit
Last update
..
apparmor Loading commit data...
integrity Loading commit data...
keys Loading commit data...
loadpin Loading commit data...
selinux Loading commit data...
smack Loading commit data...
tomoyo Loading commit data...
yama Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
commoncap.c Loading commit data...
device_cgroup.c Loading commit data...
inode.c Loading commit data...
lsm_audit.c Loading commit data...
min_addr.c Loading commit data...
security.c Loading commit data...