KEYS: DH: validate __spare field

commit 4f9dabfaf8df971f8a3b6aa324f8f817be38d538 upstream.

Syscalls must validate that their reserved arguments are zero and return
EINVAL otherwise.  Otherwise, it will be impossible to actually use them
for anything in the future because existing programs may be passing
garbage in.  This is standard practice when adding new APIs.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/security/keys/compat_dh.c b/security/keys/compat_dh.c
index a6a659b6bcb6d1d92daa0ddb5c207a3c399857db..aa6b34cafe5f9482cc5c5e98224bde15e2ddb6d2 100644 (file)
--- a/security/keys/compat_dh.c
+++ b/security/keys/compat_dh.c
@@ -33,6 +33,8 @@ long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
        kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname);
        kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo);
        kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen;
+       memcpy(kdfcopy.__spare, compat_kdfcopy.__spare,
+              sizeof(kdfcopy.__spare));
 
        return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
 }

diff --git a/security/keys/dh.c b/security/keys/dh.c
index 4755d4b4f94544236cd2b8cca1b2169b895579b7..d1ea9f325f947891f0699b4c417ee5545fcfe0a4 100644 (file)
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -266,6 +266,11 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
        if (kdfcopy) {
                char *hashname;
 
+               if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
+                       ret = -EINVAL;
+                       goto out1;
+               }
+
                if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
                    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
                        ret = -EMSGSIZE;