From: GUO Zihua <guozihua@huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5H4FC CVE: NA -------------------------------- Under normal condition, when there is a user id packet, there will always be a public key packet in the front, meaning ctx.fingerprint will never be NULL. However, if a malicious or faulty PGP key is provided with only user id packet but not public key packet, a read out-of-bound will be triggered during the generation of key description. To make things worse, a NULL pointer deference could be triggered in pgp_key_generate_id(). This patch adds a safe guard which prevents parsing the key further if no public key packet is provided. Fixes: a98cb7a4b757 ("KEYS: Provide PGP key description autogeneration") Signed-off-by: GUO Zihua <guozihua@huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> --- crypto/asymmetric_keys/pgp_public_key.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/crypto/asymmetric_keys/pgp_public_key.c b/crypto/asymmetric_keys/pgp_public_key.c index 33a089797e59..98b1707a0164 100644 --- a/crypto/asymmetric_keys/pgp_public_key.c +++ b/crypto/asymmetric_keys/pgp_public_key.c @@ -315,6 +315,11 @@ static int pgp_key_parse(struct key_preparsed_payload *prep) if (ret < 0) goto error; + if (!ctx.fingerprint) { + ret = -EINVAL; + goto error; + } + if (ctx.user_id && ctx.user_id_len > 0) { /* Propose a description for the key * (user ID without the comment) -- 2.20.1