From: GUO Zihua guozihua@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5H4FC CVE: NA
--------------------------------
Under normal condition, when there is a user id packet, there will always be a public key packet in the front, meaning ctx.fingerprint will never be NULL. However, if a malicious or faulty PGP key is provided with only user id packet but not public key packet, a read out-of-bound will be triggered during the generation of key description. To make things worse, a NULL pointer deference could be triggered in pgp_key_generate_id().
This patch adds a safe guard which prevents parsing the key further if no public key packet is provided.
Fixes: a98cb7a4b757 ("KEYS: Provide PGP key description autogeneration") Signed-off-by: GUO Zihua guozihua@huawei.com Reviewed-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- crypto/asymmetric_keys/pgp_public_key.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/crypto/asymmetric_keys/pgp_public_key.c b/crypto/asymmetric_keys/pgp_public_key.c index 33a089797e59..98b1707a0164 100644 --- a/crypto/asymmetric_keys/pgp_public_key.c +++ b/crypto/asymmetric_keys/pgp_public_key.c @@ -315,6 +315,11 @@ static int pgp_key_parse(struct key_preparsed_payload *prep) if (ret < 0) goto error;
+ if (!ctx.fingerprint) { + ret = -EINVAL; + goto error; + } + if (ctx.user_id && ctx.user_id_len > 0) { /* Propose a description for the key * (user ID without the comment)