On Mon, Dec 31, 2018 at 2:45 PM Eric Biggers <ebigg...@kernel.org> wrote:
>
> KEYCTL_PKEY_QUERY is still failing basic fuzzing even after Linus' fix that
> changed Opt_err from -1 to 0. The crash is still in
> keyctl_pkey_params_parse():
>
> token = match_token(p, param_keys, args);
> if (__test_and_set_bit(token, &token_mask))
> return -EINVAL;
> q = args[0].from;
> if (!q[0])
> return -EINVAL;
>
> Now it crashes on '!q[0]' because 'args[0].from' is uninitialized when
> token == Opt_err. args[0] is only initialized when the parsed token had a
> pattern that set it.
Argh., how embarrassing. And it turns out that James' suggestion to
initialize token_mask would actually have fixed that, for subtle
reasons (but subtle was what I didn't want).
I detest that match_token() interface, but this key code then mis-uses
it in ways it wasn't even meant for, and tries to "share" error paths
that aren't actually common.
I'll take your original patch, which I clearly should have done originally.
Thanks, and sorry for the wasted time,
Linus
