From: Dmitry Kasatkin Date: Fri, 3 Oct 2014 08:53:28 +0000 (+0300) Subject: KEYS: handle error code encoded in pointer X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=40b50e80c5ca78b3164d79d39b4889c4e58f462e;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git KEYS: handle error code encoded in pointer If hexlen is odd then function returns an error. Use IS_ERR to check for error, otherwise invalid pointer is used and kernel gives oops: [ 132.816522] BUG: unable to handle kernel paging request at ffffffffffffffea [ 132.819902] IP: [] asymmetric_key_id_same+0x14/0x36 [ 132.820302] PGD 1a12067 PUD 1a14067 PMD 0 [ 132.820302] Oops: 0000 [#1] SMP [ 132.820302] Modules linked in: bridge(E) stp(E) llc(E) evdev(E) serio_raw(E) i2c_piix4(E) button(E) fuse(E) [ 132.820302] CPU: 0 PID: 2993 Comm: cat Tainted: G E 3.16.0-kds+ #2847 [ 132.820302] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 132.820302] task: ffff88004249a430 ti: ffff880056640000 task.ti: ffff880056640000 [ 132.820302] RIP: 0010:[] [] asymmetric_key_id_same+0x14/0x36 [ 132.820302] RSP: 0018:ffff880056643930 EFLAGS: 00010246 [ 132.820302] RAX: 0000000000000000 RBX: ffffffffffffffea RCX: ffff880056643ae0 [ 132.820302] RDX: 000000000000005e RSI: ffffffffffffffea RDI: ffff88005bac9300 [ 132.820302] RBP: ffff880056643948 R08: 0000000000000003 R09: 00000007504aa01a [ 132.820302] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88005d68ca40 [ 132.820302] R13: 0000000000000101 R14: 0000000000000000 R15: ffff88005bac5280 [ 132.820302] FS: 00007f67a153c740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 132.820302] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 132.820302] CR2: ffffffffffffffea CR3: 000000002e663000 CR4: 00000000000006f0 [ 132.820302] Stack: [ 132.820302] ffffffff812bfc66 ffff880056643ae0 ffff88005bac5280 ffff880056643958 [ 132.820302] ffffffff812bfc9d ffff880056643980 ffffffff812971d9 ffff88005ce930c1 [ 132.820302] ffff88005ce930c0 0000000000000000 ffff8800566439c8 ffffffff812fb753 [ 132.820302] Call Trace: [ 132.820302] [] ? asymmetric_match_key_ids+0x24/0x42 [ 132.820302] [] asymmetric_key_cmp+0x19/0x1b [ 132.820302] [] keyring_search_iterator+0x74/0xd7 [ 132.820302] [] assoc_array_subtree_iterate+0x67/0xd2 [ 132.820302] [] ? key_default_cmp+0x20/0x20 [ 132.820302] [] assoc_array_iterate+0x19/0x1e [ 132.820302] [] search_nested_keyrings+0xf6/0x2b6 [ 132.820302] [] ? sched_clock_cpu+0x91/0xa2 [ 132.820302] [] ? mark_held_locks+0x58/0x6e [ 132.820302] [] ? current_kernel_time+0x77/0xb8 [ 132.820302] [] keyring_search_aux+0xe1/0x14c [ 132.820302] [] ? keyring_search_aux+0x6c/0x14c [ 132.820302] [] keyring_search+0x8f/0xb6 [ 132.820302] [] ? asymmetric_match_key_ids+0x42/0x42 [ 132.820302] [] ? key_default_cmp+0x20/0x20 [ 132.820302] [] asymmetric_verify+0xa4/0x214 [ 132.820302] [] integrity_digsig_verify+0xb1/0xe2 [ 132.820302] [] ? evm_verifyxattr+0x6a/0x7a [ 132.820302] [] ima_appraise_measurement+0x160/0x370 [ 132.820302] [] ? d_absolute_path+0x5b/0x7a [ 132.820302] [] process_measurement+0x322/0x404 Reported-by: Dmitry Kasatkin Signed-off-by: Dmitry Kasatkin Signed-off-by: David Howells --- diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index f0f2111d2c66..29983cbb658d 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -153,8 +153,8 @@ static int asymmetric_key_match_preparse(struct key_match_data *match_data) } match_id = asymmetric_key_hex_to_key_id(id); - if (!match_id) - return -ENOMEM; + if (IS_ERR(match_id)) + return PTR_ERR(match_id); match_data->preparsed = match_id; match_data->cmp = asymmetric_key_cmp;