KEYS: DH: don't feed uninitialized "otherinfo" into KDF
If userspace called KEYCTL_DH_COMPUTE with kdf_params containing NULL otherinfo but nonzero otherinfolen, the kernel would allocate a buffer for the otherinfo, then feed it into the KDF without initializing it. Fix this by always doing the copy from userspace (which will fail with EFAULT in this scenario). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
parent
bbe240454d
commit
281590b422
@ -317,7 +317,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
|
||||
* Concatenate SP800-56A otherinfo past DH shared secret -- the
|
||||
* input to the KDF is (DH shared secret || otherinfo)
|
||||
*/
|
||||
if (kdfcopy && kdfcopy->otherinfo &&
|
||||
if (kdfcopy &&
|
||||
copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
|
||||
kdfcopy->otherinfolen) != 0) {
|
||||
ret = -EFAULT;
|
||||
|
Loading…
Reference in New Issue
Block a user