summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-07-13 13:16:56 +0100
committerJames Morris <james.l.morris@oracle.com>2017-07-14 11:01:38 +1000
commit4f9dabfaf8df971f8a3b6aa324f8f817be38d538 (patch)
treed7825b3a87a89699417b255c71018998482ae4cd /security
parent5ccbdbf9870fe9efe78d77df23d5e7d8641c36f8 (diff)
downloadlinux-stable-4f9dabfaf8df971f8a3b6aa324f8f817be38d538.tar.gz
linux-stable-4f9dabfaf8df971f8a3b6aa324f8f817be38d538.tar.bz2
linux-stable-4f9dabfaf8df971f8a3b6aa324f8f817be38d538.zip
KEYS: DH: validate __spare field
Syscalls must validate that their reserved arguments are zero and return EINVAL otherwise. Otherwise, it will be impossible to actually use them for anything in the future because existing programs may be passing garbage in. This is standard practice when adding new APIs. Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/compat_dh.c2
-rw-r--r--security/keys/dh.c5
2 files changed, 7 insertions, 0 deletions
diff --git a/security/keys/compat_dh.c b/security/keys/compat_dh.c
index a6a659b6bcb6..aa6b34cafe5f 100644
--- a/security/keys/compat_dh.c
+++ b/security/keys/compat_dh.c
@@ -33,6 +33,8 @@ long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname);
kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo);
kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen;
+ memcpy(kdfcopy.__spare, compat_kdfcopy.__spare,
+ sizeof(kdfcopy.__spare));
return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
}
diff --git a/security/keys/dh.c b/security/keys/dh.c
index 4755d4b4f945..d1ea9f325f94 100644
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -266,6 +266,11 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
if (kdfcopy) {
char *hashname;
+ if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
+ ret = -EINVAL;
+ goto out1;
+ }
+
if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
ret = -EMSGSIZE;