summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJarkko Sakkinen <jarkko@kernel.org>2026-06-01 23:11:54 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-04 13:38:40 +0200
commit622ec2dcd59f21623f2a7ab773c80ceb7d555e3a (patch)
tree0969102df485c656cd79b5e732803e1ce4320445
parent3a2b378b3a9ca75d3518d879148d2ad25b5714a9 (diff)
downloadlinux-622ec2dcd59f21623f2a7ab773c80ceb7d555e3a.tar.gz
linux-622ec2dcd59f21623f2a7ab773c80ceb7d555e3a.zip
KEYS: fix overflow in keyctl_pkey_params_get_2()
commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream. The length for the internal output buffer is calculated incorrectly, which can result overflow when a too small buffer is provided. Fix the bug by allocating internal output with the size of the maximum length of the cryptographic primitive instead of caller provided size. Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/ Cc: stable@vger.kernel.org # v4.20+ Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") Reported-by: Alessandro Groppo <ale.grpp@gmail.com> Tested-by: Alessandro Groppo <ale.grpp@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--security/keys/keyctl_pkey.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 63e5c646f762..4a9c61f7cdaa 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
if (uparams.in_len > info.max_dec_size ||
uparams.out_len > info.max_enc_size)
return -EINVAL;
+
+ params->out_len = info.max_enc_size;
break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
+
+ params->out_len = info.max_dec_size;
break;
case KEYCTL_PKEY_SIGN:
if (uparams.in_len > info.max_data_size ||
uparams.out_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
case KEYCTL_PKEY_VERIFY:
if (uparams.in_len > info.max_data_size ||
uparams.in2_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
default:
BUG();
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}