3.2.88-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> The "dead" key type has no match operation, and a search for keys of this type can cause a null dereference in keyring_search_aux(). keyring_search() has a check for this, but request_keyring_and_link() does not. Move the check into keyring_search_aux(), covering both of them. This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove key_type::match in favour of overriding default by match_preparse"), part of a series of large changes that are not suitable for backporting. CVE-2017-2647 / CVE-2017-6951 Reported-by: Igor Redko <redkoi@xxxxxxxxxxxxx> Reported-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647 Reported-by: idl3r <idler1984@xxxxxxxxx> References: https://www.spinics.net/lists/keyrings/msg01845.html Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Cc: David Howells <dhowells@xxxxxxxxxx> --- --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -336,6 +336,9 @@ key_ref_t keyring_search_aux(key_ref_t k if (keyring->type != &key_type_keyring) goto error; + if (!match) + return ERR_PTR(-ENOKEY); + rcu_read_lock(); now = current_kernel_time(); @@ -484,9 +487,6 @@ key_ref_t keyring_search(key_ref_t keyri struct key_type *type, const char *description) { - if (!type->match) - return ERR_PTR(-ENOKEY); - return keyring_search_aux(keyring, current->cred, type, description, type->match, false); }