[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Jan 2019 13:08:41 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: David Howells <dhowells@...hat.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
James Morris <jmorris@...ei.org>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Peter Huewe <peterhuewe@....de>, keyrings@...r.kernel.org,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH RESEND] KEYS: fix parsing invalid pkey info string
On Mon, Dec 31, 2018 at 2:45 PM Eric Biggers <ebiggers@...nel.org> wrote:
>
> KEYCTL_PKEY_QUERY is still failing basic fuzzing even after Linus' fix that
> changed Opt_err from -1 to 0. The crash is still in keyctl_pkey_params_parse():
>
> token = match_token(p, param_keys, args);
> if (__test_and_set_bit(token, &token_mask))
> return -EINVAL;
> q = args[0].from;
> if (!q[0])
> return -EINVAL;
>
> Now it crashes on '!q[0]' because 'args[0].from' is uninitialized when
> token == Opt_err. args[0] is only initialized when the parsed token had a
> pattern that set it.
Argh., how embarrassing. And it turns out that James' suggestion to
initialize token_mask would actually have fixed that, for subtle
reasons (but subtle was what I didn't want).
I detest that match_token() interface, but this key code then mis-uses
it in ways it wasn't even meant for, and tries to "share" error paths
that aren't actually common.
I'll take your original patch, which I clearly should have done originally.
Thanks, and sorry for the wasted time,
Linus
Powered by blists - more mailing lists