KEYS: DH: don't feed uninitialized "otherinfo" into KDF

If userspace called KEYCTL_DH_COMPUTE with kdf_params containing NULL
otherinfo but nonzero otherinfolen, the kernel would allocate a buffer
for the otherinfo, then feed it into the KDF without initializing it.
Fix this by always doing the copy from userspace (which will fail with
EFAULT in this scenario).

Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: David Howells <[email protected]>
Acked-by: Stephan Mueller <[email protected]>
Signed-off-by: James Morris <[email protected]>

diff --git a/security/keys/dh.c b/security/keys/dh.c
index 8abc70ebe22dfbff556a8e675c4832f9cf3f60ff..1c1cac6770410104f2faf9f663d1d37feb168793 100644 (file)
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -317,7 +317,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
         * Concatenate SP800-56A otherinfo past DH shared secret -- the
         * input to the KDF is (DH shared secret || otherinfo)
         */
-       if (kdfcopy && kdfcopy->otherinfo &&
+       if (kdfcopy &&
            copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
                           kdfcopy->otherinfolen) != 0) {
                ret = -EFAULT;