Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

KEYS: DH: validate __spare field

Syscalls must validate that their reserved arguments are zero and return
EINVAL otherwise.  Otherwise, it will be impossible to actually use them
for anything in the future because existing programs may be passing
garbage in.  This is standard practice when adding new APIs.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Eric Biggers 8 years ago
parent
5ccbdbf987
commit
4f9dabfaf8
2 changed files with 7 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      security/keys/compat_dh.c
  2. 5 0
      security/keys/dh.c

+ 2 - 0
security/keys/compat_dh.c
View File 

@@ -33,6 +33,8 @@ long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
 
 	kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname);
 
 	kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo);
 
 	kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen;
 
+	memcpy(kdfcopy.__spare, compat_kdfcopy.__spare,
 
+	       sizeof(kdfcopy.__spare));
 
 
 	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
 
 }

+ 5 - 0
security/keys/dh.c
View File 

@@ -266,6 +266,11 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
 
 	if (kdfcopy) {
 
 		char *hashname;
 
 
+		if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
 
+			ret = -EINVAL;
 
+			goto out1;
 
+		}
 
+
 
 		if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
 
 		    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
 
 			ret = -EMSGSIZE;