3.16.43-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> The "dead" key type has no match operation, and a search for keys of this type can cause a null dereference in keyring_search_iterator(). keyring_search() has a check for this, but request_keyring_and_link() does not. Move the check into keyring_search_aux(), covering both of them. This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove key_type::match in favour of overriding default by match_preparse"), part of a series of large changes that are not suitable for backporting. CVE-2017-2647 / CVE-2017-6951 Reported-by: Igor Redko <redkoi@xxxxxxxxxxxxx> Reported-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647 Reported-by: idl3r <idler1984@xxxxxxxxx> References: https://www.spinics.net/lists/keyrings/msg01845.html Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Cc: David Howells <dhowells@xxxxxxxxxx> --- --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -848,6 +848,9 @@ key_ref_t keyring_search_aux(key_ref_t k return ERR_PTR(err); } + if (!ctx->match) + return ERR_PTR(-ENOKEY); + rcu_read_lock(); ctx->now = current_kernel_time(); if (search_nested_keyrings(keyring, ctx)) @@ -879,9 +882,6 @@ key_ref_t keyring_search(key_ref_t keyri KEYRING_SEARCH_DO_STATE_CHECK), }; - if (!ctx.match) - return ERR_PTR(-ENOKEY); - return keyring_search_aux(keyring, &ctx); } EXPORT_SYMBOL(keyring_search);