summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-06-08 14:49:42 +0100
committerJames Morris <james.l.morris@oracle.com>2017-06-09 13:29:49 +1000
commit281590b4221779dbc4a5e2c33c0c5b0239cfe794 (patch)
tree3abf0a758a569c41c972f5c79f31337ad7a04fae
parentbbe240454d86be95151e0ecfd6ac55fe5ef5a6f5 (diff)
downloadlinux-stable-281590b4221779dbc4a5e2c33c0c5b0239cfe794.tar.gz
linux-stable-281590b4221779dbc4a5e2c33c0c5b0239cfe794.tar.bz2
linux-stable-281590b4221779dbc4a5e2c33c0c5b0239cfe794.zip
KEYS: DH: don't feed uninitialized "otherinfo" into KDF
If userspace called KEYCTL_DH_COMPUTE with kdf_params containing NULL otherinfo but nonzero otherinfolen, the kernel would allocate a buffer for the otherinfo, then feed it into the KDF without initializing it. Fix this by always doing the copy from userspace (which will fail with EFAULT in this scenario). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com>
-rw-r--r--security/keys/dh.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/keys/dh.c b/security/keys/dh.c
index 8abc70ebe22d..1c1cac677041 100644
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -317,7 +317,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
* Concatenate SP800-56A otherinfo past DH shared secret -- the
* input to the KDF is (DH shared secret || otherinfo)
*/
- if (kdfcopy && kdfcopy->otherinfo &&
+ if (kdfcopy &&
copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
kdfcopy->otherinfolen) != 0) {
ret = -EFAULT;