diff options
| author | Eric Biggers <ebiggers@google.com> | 2017-11-06 21:57:26 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-11-30 08:39:03 +0000 |
| commit | a1e25420a47a55784f277363ee0b76b2e2ea981d (patch) | |
| tree | 571560bf0d229b8d9a6a450b373ed4de8d639efa | |
| parent | 7d00fdbc494306fa3a8cdaf8659ca2ab591f5830 (diff) | |
| download | linux-stable-a1e25420a47a55784f277363ee0b76b2e2ea981d.tar.gz linux-stable-a1e25420a47a55784f277363ee0b76b2e2ea981d.tar.bz2 linux-stable-a1e25420a47a55784f277363ee0b76b2e2ea981d.zip | |
libceph: don't WARN() if user tries to add invalid key
commit b11270853fa3654f08d4a6a03b23ddb220512d8d upstream.
The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a
user tries to add a key of type "ceph" with an invalid payload as
follows (assuming CONFIG_CEPH_LIB=y):
echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
| keyctl padd ceph desc @s
This can be hit by fuzzers. As this is merely bad input and not a
kernel bug, replace the WARN_ON() with return -EINVAL.
Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/ceph/crypto.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c index 292e33bd916e..5f3a627afcc6 100644 --- a/net/ceph/crypto.c +++ b/net/ceph/crypto.c @@ -34,7 +34,9 @@ static int set_secret(struct ceph_crypto_key *key, void *buf) return -ENOTSUPP; } - WARN_ON(!key->len); + if (!key->len) + return -EINVAL; + key->key = kmemdup(buf, key->len, GFP_NOIO); if (!key->key) { ret = -ENOMEM; |