KEYS: DH: validate __spare field
authorEric Biggers <ebiggers@google.com>
Thu, 13 Jul 2017 12:16:56 +0000 (13:16 +0100)
committerJames Morris <james.l.morris@oracle.com>
Fri, 14 Jul 2017 01:01:38 +0000 (11:01 +1000)
Syscalls must validate that their reserved arguments are zero and return
EINVAL otherwise.  Otherwise, it will be impossible to actually use them
for anything in the future because existing programs may be passing
garbage in.  This is standard practice when adding new APIs.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/keys/compat_dh.c
security/keys/dh.c

index a6a659b6bcb6d1d92daa0ddb5c207a3c399857db..aa6b34cafe5f9482cc5c5e98224bde15e2ddb6d2 100644 (file)
@@ -33,6 +33,8 @@ long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
        kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname);
        kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo);
        kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen;
+       memcpy(kdfcopy.__spare, compat_kdfcopy.__spare,
+              sizeof(kdfcopy.__spare));
 
        return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
 }
index 4755d4b4f94544236cd2b8cca1b2169b895579b7..d1ea9f325f947891f0699b4c417ee5545fcfe0a4 100644 (file)
@@ -266,6 +266,11 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
        if (kdfcopy) {
                char *hashname;
 
+               if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
+                       ret = -EINVAL;
+                       goto out1;
+               }
+
                if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
                    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
                        ret = -EMSGSIZE;