1. Patchew
  2. linux
  3. View series

[PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()

Jarkko Sakkinen posted 1 patch 1 week, 1 day ago 
security/keys/keyctl_pkey.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
[PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
Posted by Jarkko Sakkinen 1 week, 1 day ago 
The length for the internal output buffer is calculated incorrectly, which
can result overflow when a too small buffer is provided.

Fix the bug by allocating internal output with the size of the maximum
length of the cryptographic primitive instead of caller provided size.

Cc: stable@vger.kernel.org # v4.20+
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
Alessandro, please correct if I put the last name correctly (and
sincere apologies if not).
 security/keys/keyctl_pkey.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 97bc27bbf079..ba150ee2d4a3 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
 		if (uparams.in_len  > info.max_dec_size ||
 		    uparams.out_len > info.max_enc_size)
 			return -EINVAL;
+
+		params->out_len = info.max_enc_size;
 		break;
 	case KEYCTL_PKEY_DECRYPT:
 		if (uparams.in_len  > info.max_enc_size ||
 		    uparams.out_len > info.max_dec_size)
 			return -EINVAL;
+
+		params->out_len = info.max_dec_size;
 		break;
 	case KEYCTL_PKEY_SIGN:
 		if (uparams.in_len  > info.max_data_size ||
 		    uparams.out_len > info.max_sig_size)
 			return -EINVAL;
+
+		params->out_len = info.max_sig_size;
 		break;
 	case KEYCTL_PKEY_VERIFY:
 		if (uparams.in_len  > info.max_data_size ||
 		    uparams.in2_len > info.max_sig_size)
 			return -EINVAL;
+
+		params->out_len = info.max_sig_size;
 		break;
 	default:
 		BUG();
 	}

 	params->in_len  = uparams.in_len;
-	params->out_len = uparams.out_len; /* Note: same as in2_len */
 	return 0;
 }

--
2.47.3
Re: [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
Posted by Jarkko Sakkinen 1 week, 1 day ago 
On Sun, May 31, 2026 at 05:49:13AM +0300, Jarkko Sakkinen wrote:
> The length for the internal output buffer is calculated incorrectly, which
> can result overflow when a too small buffer is provided.
> 
> Fix the bug by allocating internal output with the size of the maximum
> length of the cryptographic primitive instead of caller provided size.
> 
> Cc: stable@vger.kernel.org # v4.20+
> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

Should be available in -next within a day or along the lines so please
be quick with tags/feedback. I'll forward a PR as soon as all is good.

BR, Jarkko

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.