keys: Guard against null match function in keyring_search_aux()
commite2b41f761b086da2ec43b1cfea14ca0681cd08b0
authorBen Hutchings <ben@decadent.org.uk>
Sat, 1 Apr 2017 03:55:18 +0000 (1 04:55 +0100)
committerBen Hutchings <ben@decadent.org.uk>
Tue, 4 Apr 2017 21:18:33 +0000 (4 22:18 +0100)
tree37a41463c8c8f9420ffa57beb5acc6e8dfa9e3a8
parent2147a17048314f069838aace1d08b8c719448b50
keys: Guard against null match function in keyring_search_aux()

The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_aux().
keyring_search() has a check for this, but request_keyring_and_link()
does not.  Move the check into keyring_search_aux(), covering both of
them.

This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.

CVE-2017-2647 / CVE-2017-6951

Reported-by: Igor Redko <redkoi@virtuozzo.com>
Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
Reported-by: idl3r <idler1984@gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>
security/keys/keyring.c