[PATCH 1/1][T] keys: Guard against null match function in keyring_search_aux()

[Tyler Hicks]

From: Ben Hutchings <ben at decadent.org.uk>

The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_iterator().
keyring_search() has a check for this, but request_keyring_and_link()
does not.  Move the check into keyring_search_aux(), covering both of
them.

This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.

CVE-2017-2647 / CVE-2017-6951

Reported-by: Igor Redko <redkoi at virtuozzo.com>
Reported-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
Reported-by: idl3r <idler1984 at gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.html
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Cc: David Howells <dhowells at redhat.com>

CVE-2017-2647

(cherry picked from commit c53ee259ad3da891e191dee7af119af340f9c01b linux-stable)
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 security/keys/keyring.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index dd463826515f..12effc93cf2d 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -849,6 +849,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
 			return ERR_PTR(err);
 	}
 
+	if (!ctx->match)
+		return ERR_PTR(-ENOKEY);
+
 	rcu_read_lock();
 	ctx->now = current_kernel_time();
 	if (search_nested_keyrings(keyring, ctx))
@@ -880,9 +883,6 @@ key_ref_t keyring_search(key_ref_t keyring,
 					   KEYRING_SEARCH_DO_STATE_CHECK),
 	};
 
-	if (!ctx.match)
-		return ERR_PTR(-ENOKEY);
-
 	return keyring_search_aux(keyring, &ctx);
 }
 EXPORT_SYMBOL(keyring_search);
-- 
2.7.4