• Eric Biggers's avatar
    KEYS: always initialize keyring_index_key::desc_len · 4b08addb
    Eric Biggers authored
    commit ede0fa98 upstream.
    
    syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
    called from construct_alloc_key() during sys_request_key(), because the
    length of the key description was never calculated.
    
    The problem is that we rely on ->desc_len being initialized by
    search_process_keyrings(), specifically by search_nested_keyrings().
    But, if the process isn't subscribed to any keyrings that never happens.
    
    Fix it by always initializing keyring_index_key::desc_len as soon as the
    description is set, like we already do in some places.
    
    The following program reproduces the BUG_ON() when it's run as root and
    no session keyring has been installed.  If it doesn't work, try removing
    pam_keyinit.so from /etc/pam.d/login and rebooting.
    
        #include <stdlib.h>
        #include <unistd.h>
        #include <keyutils.h>
    
        int main(void)
        {
                int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);
    
                keyctl_setperm(id, KEY_OTH_WRITE);
                setreuid(5000, 5000);
                request_key("user", "desc", "", id);
        }
    
    Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
    Fixes: b2a4df20 ("KEYS: Expand the capacity of a keyring")
    Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarJames Morris <james.morris@microsoft.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    4b08addb
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...