mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-30 15:44:13 +08:00
d55901522f
When making a DNS query inside the kernel using dns_query(), the request
code can in rare cases end up creating a duplicate index key in the
assoc_array of the destination keyring. It is eventually found by
a BUG_ON() check in the assoc_array implementation and results in
a crash.
Example report:
[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!
[2158499.700039] invalid opcode: 0000 [#1] SMP PTI
[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3
[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]
[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40
[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f
[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282
[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005
[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000
[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28
[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740
[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000
[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0
[2158499.700702] Call Trace:
[2158499.700741] ? key_alloc+0x447/0x4b0
[2158499.700768] ? __key_link_begin+0x43/0xa0
[2158499.700790] __key_link_begin+0x43/0xa0
[2158499.700814] request_key_and_link+0x2c7/0x730
[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver]
[2158499.700873] ? key_default_cmp+0x20/0x20
[2158499.700898] request_key_tag+0x43/0xa0
[2158499.700926] dns_query+0x114/0x2ca [dns_resolver]
[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs]
[2158499.701164] ? scnprintf+0x49/0x90
[2158499.701190] ? __switch_to_asm+0x40/0x70
[2158499.701211] ? __switch_to_asm+0x34/0x70
[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]
[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs]
[2158499.701632] process_one_work+0x1f8/0x3e0
[2158499.701658] worker_thread+0x2d/0x3f0
[2158499.701682] ? process_one_work+0x3e0/0x3e0
[2158499.701703] kthread+0x10d/0x130
[2158499.701723] ? kthread_park+0xb0/0xb0
[2158499.701746] ret_from_fork+0x1f/0x40
The situation occurs as follows:
* Some kernel facility invokes dns_query() to resolve a hostname, for
example, "abcdef". The function registers its global DNS resolver
cache as current->cred.thread_keyring and passes the query to
request_key_net() -> request_key_tag() -> request_key_and_link().
* Function request_key_and_link() creates a keyring_search_context
object. Its match_data.cmp method gets set via a call to
type->match_preparse() (resolves to dns_resolver_match_preparse()) to
dns_resolver_cmp().
* Function request_key_and_link() continues and invokes
search_process_keyrings_rcu() which returns that a given key was not
found. The control is then passed to request_key_and_link() ->
construct_alloc_key().
* Concurrently to that, a second task similarly makes a DNS query for
"abcdef." and its result gets inserted into the DNS resolver cache.
* Back on the first task, function construct_alloc_key() first runs
__key_link_begin() to determine an assoc_array_edit operation to
insert a new key. Index keys in the array are compared exactly as-is,
using keyring_compare_object(). The operation finds that "abcdef" is
not yet present in the destination keyring.
* Function construct_alloc_key() continues and checks if a given key is
already present on some keyring by again calling
search_process_keyrings_rcu(). This search is done using
dns_resolver_cmp() and "abcdef" gets matched with now present key
"abcdef.".
* The found key is linked on the destination keyring by calling
__key_link() and using the previously calculated assoc_array_edit
operation. This inserts the "abcdef." key in the array but creates
a duplicity because the same index key is already present.
Fix the problem by postponing __key_link_begin() in
construct_alloc_key() until an actual key which should be linked into
the destination keyring is determined.
[jarkko@kernel.org: added a fixes tag and cc to stable]
Cc: stable@vger.kernel.org # v5.3+
Fixes: df593ee23e
("keys: Hoist locking out of __key_link_begin()")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Joey Lee <jlee@suse.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
822 lines
22 KiB
C
822 lines
22 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Request a key from userspace
|
|
*
|
|
* Copyright (C) 2004-2007 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* See Documentation/security/keys/request-key.rst
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/kmod.h>
|
|
#include <linux/err.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/slab.h>
|
|
#include <net/net_namespace.h>
|
|
#include "internal.h"
|
|
#include <keys/request_key_auth-type.h>
|
|
|
|
#define key_negative_timeout 60 /* default timeout on a negative key's existence */
|
|
|
|
static struct key *check_cached_key(struct keyring_search_context *ctx)
|
|
{
|
|
#ifdef CONFIG_KEYS_REQUEST_CACHE
|
|
struct key *key = current->cached_requested_key;
|
|
|
|
if (key &&
|
|
ctx->match_data.cmp(key, &ctx->match_data) &&
|
|
!(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
|
|
(1 << KEY_FLAG_REVOKED))))
|
|
return key_get(key);
|
|
#endif
|
|
return NULL;
|
|
}
|
|
|
|
static void cache_requested_key(struct key *key)
|
|
{
|
|
#ifdef CONFIG_KEYS_REQUEST_CACHE
|
|
struct task_struct *t = current;
|
|
|
|
/* Do not cache key if it is a kernel thread */
|
|
if (!(t->flags & PF_KTHREAD)) {
|
|
key_put(t->cached_requested_key);
|
|
t->cached_requested_key = key_get(key);
|
|
set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
/**
|
|
* complete_request_key - Complete the construction of a key.
|
|
* @authkey: The authorisation key.
|
|
* @error: The success or failute of the construction.
|
|
*
|
|
* Complete the attempt to construct a key. The key will be negated
|
|
* if an error is indicated. The authorisation key will be revoked
|
|
* unconditionally.
|
|
*/
|
|
void complete_request_key(struct key *authkey, int error)
|
|
{
|
|
struct request_key_auth *rka = get_request_key_auth(authkey);
|
|
struct key *key = rka->target_key;
|
|
|
|
kenter("%d{%d},%d", authkey->serial, key->serial, error);
|
|
|
|
if (error < 0)
|
|
key_negate_and_link(key, key_negative_timeout, NULL, authkey);
|
|
else
|
|
key_revoke(authkey);
|
|
}
|
|
EXPORT_SYMBOL(complete_request_key);
|
|
|
|
/*
|
|
* Initialise a usermode helper that is going to have a specific session
|
|
* keyring.
|
|
*
|
|
* This is called in context of freshly forked kthread before kernel_execve(),
|
|
* so we can simply install the desired session_keyring at this point.
|
|
*/
|
|
static int umh_keys_init(struct subprocess_info *info, struct cred *cred)
|
|
{
|
|
struct key *keyring = info->data;
|
|
|
|
return install_session_keyring_to_cred(cred, keyring);
|
|
}
|
|
|
|
/*
|
|
* Clean up a usermode helper with session keyring.
|
|
*/
|
|
static void umh_keys_cleanup(struct subprocess_info *info)
|
|
{
|
|
struct key *keyring = info->data;
|
|
key_put(keyring);
|
|
}
|
|
|
|
/*
|
|
* Call a usermode helper with a specific session keyring.
|
|
*/
|
|
static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
|
|
struct key *session_keyring, int wait)
|
|
{
|
|
struct subprocess_info *info;
|
|
|
|
info = call_usermodehelper_setup(path, argv, envp, GFP_KERNEL,
|
|
umh_keys_init, umh_keys_cleanup,
|
|
session_keyring);
|
|
if (!info)
|
|
return -ENOMEM;
|
|
|
|
key_get(session_keyring);
|
|
return call_usermodehelper_exec(info, wait);
|
|
}
|
|
|
|
/*
|
|
* Request userspace finish the construction of a key
|
|
* - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
|
|
*/
|
|
static int call_sbin_request_key(struct key *authkey, void *aux)
|
|
{
|
|
static char const request_key[] = "/sbin/request-key";
|
|
struct request_key_auth *rka = get_request_key_auth(authkey);
|
|
const struct cred *cred = current_cred();
|
|
key_serial_t prkey, sskey;
|
|
struct key *key = rka->target_key, *keyring, *session, *user_session;
|
|
char *argv[9], *envp[3], uid_str[12], gid_str[12];
|
|
char key_str[12], keyring_str[3][12];
|
|
char desc[20];
|
|
int ret, i;
|
|
|
|
kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
|
|
|
|
ret = look_up_user_keyrings(NULL, &user_session);
|
|
if (ret < 0)
|
|
goto error_us;
|
|
|
|
/* allocate a new session keyring */
|
|
sprintf(desc, "_req.%u", key->serial);
|
|
|
|
cred = get_current_cred();
|
|
keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
|
|
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
|
|
KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
|
|
put_cred(cred);
|
|
if (IS_ERR(keyring)) {
|
|
ret = PTR_ERR(keyring);
|
|
goto error_alloc;
|
|
}
|
|
|
|
/* attach the auth key to the session keyring */
|
|
ret = key_link(keyring, authkey);
|
|
if (ret < 0)
|
|
goto error_link;
|
|
|
|
/* record the UID and GID */
|
|
sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
|
|
sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
|
|
|
|
/* we say which key is under construction */
|
|
sprintf(key_str, "%d", key->serial);
|
|
|
|
/* we specify the process's default keyrings */
|
|
sprintf(keyring_str[0], "%d",
|
|
cred->thread_keyring ? cred->thread_keyring->serial : 0);
|
|
|
|
prkey = 0;
|
|
if (cred->process_keyring)
|
|
prkey = cred->process_keyring->serial;
|
|
sprintf(keyring_str[1], "%d", prkey);
|
|
|
|
session = cred->session_keyring;
|
|
if (!session)
|
|
session = user_session;
|
|
sskey = session->serial;
|
|
|
|
sprintf(keyring_str[2], "%d", sskey);
|
|
|
|
/* set up a minimal environment */
|
|
i = 0;
|
|
envp[i++] = "HOME=/";
|
|
envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
|
|
envp[i] = NULL;
|
|
|
|
/* set up the argument list */
|
|
i = 0;
|
|
argv[i++] = (char *)request_key;
|
|
argv[i++] = (char *)rka->op;
|
|
argv[i++] = key_str;
|
|
argv[i++] = uid_str;
|
|
argv[i++] = gid_str;
|
|
argv[i++] = keyring_str[0];
|
|
argv[i++] = keyring_str[1];
|
|
argv[i++] = keyring_str[2];
|
|
argv[i] = NULL;
|
|
|
|
/* do it */
|
|
ret = call_usermodehelper_keys(request_key, argv, envp, keyring,
|
|
UMH_WAIT_PROC);
|
|
kdebug("usermode -> 0x%x", ret);
|
|
if (ret >= 0) {
|
|
/* ret is the exit/wait code */
|
|
if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags) ||
|
|
key_validate(key) < 0)
|
|
ret = -ENOKEY;
|
|
else
|
|
/* ignore any errors from userspace if the key was
|
|
* instantiated */
|
|
ret = 0;
|
|
}
|
|
|
|
error_link:
|
|
key_put(keyring);
|
|
|
|
error_alloc:
|
|
key_put(user_session);
|
|
error_us:
|
|
complete_request_key(authkey, ret);
|
|
kleave(" = %d", ret);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Call out to userspace for key construction.
|
|
*
|
|
* Program failure is ignored in favour of key status.
|
|
*/
|
|
static int construct_key(struct key *key, const void *callout_info,
|
|
size_t callout_len, void *aux,
|
|
struct key *dest_keyring)
|
|
{
|
|
request_key_actor_t actor;
|
|
struct key *authkey;
|
|
int ret;
|
|
|
|
kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux);
|
|
|
|
/* allocate an authorisation key */
|
|
authkey = request_key_auth_new(key, "create", callout_info, callout_len,
|
|
dest_keyring);
|
|
if (IS_ERR(authkey))
|
|
return PTR_ERR(authkey);
|
|
|
|
/* Make the call */
|
|
actor = call_sbin_request_key;
|
|
if (key->type->request_key)
|
|
actor = key->type->request_key;
|
|
|
|
ret = actor(authkey, aux);
|
|
|
|
/* check that the actor called complete_request_key() prior to
|
|
* returning an error */
|
|
WARN_ON(ret < 0 &&
|
|
!test_bit(KEY_FLAG_INVALIDATED, &authkey->flags));
|
|
|
|
key_put(authkey);
|
|
kleave(" = %d", ret);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Get the appropriate destination keyring for the request.
|
|
*
|
|
* The keyring selected is returned with an extra reference upon it which the
|
|
* caller must release.
|
|
*/
|
|
static int construct_get_dest_keyring(struct key **_dest_keyring)
|
|
{
|
|
struct request_key_auth *rka;
|
|
const struct cred *cred = current_cred();
|
|
struct key *dest_keyring = *_dest_keyring, *authkey;
|
|
int ret;
|
|
|
|
kenter("%p", dest_keyring);
|
|
|
|
/* find the appropriate keyring */
|
|
if (dest_keyring) {
|
|
/* the caller supplied one */
|
|
key_get(dest_keyring);
|
|
} else {
|
|
bool do_perm_check = true;
|
|
|
|
/* use a default keyring; falling through the cases until we
|
|
* find one that we actually have */
|
|
switch (cred->jit_keyring) {
|
|
case KEY_REQKEY_DEFL_DEFAULT:
|
|
case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
|
|
if (cred->request_key_auth) {
|
|
authkey = cred->request_key_auth;
|
|
down_read(&authkey->sem);
|
|
rka = get_request_key_auth(authkey);
|
|
if (!test_bit(KEY_FLAG_REVOKED,
|
|
&authkey->flags))
|
|
dest_keyring =
|
|
key_get(rka->dest_keyring);
|
|
up_read(&authkey->sem);
|
|
if (dest_keyring) {
|
|
do_perm_check = false;
|
|
break;
|
|
}
|
|
}
|
|
|
|
fallthrough;
|
|
case KEY_REQKEY_DEFL_THREAD_KEYRING:
|
|
dest_keyring = key_get(cred->thread_keyring);
|
|
if (dest_keyring)
|
|
break;
|
|
|
|
fallthrough;
|
|
case KEY_REQKEY_DEFL_PROCESS_KEYRING:
|
|
dest_keyring = key_get(cred->process_keyring);
|
|
if (dest_keyring)
|
|
break;
|
|
|
|
fallthrough;
|
|
case KEY_REQKEY_DEFL_SESSION_KEYRING:
|
|
dest_keyring = key_get(cred->session_keyring);
|
|
|
|
if (dest_keyring)
|
|
break;
|
|
|
|
fallthrough;
|
|
case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
|
|
ret = look_up_user_keyrings(NULL, &dest_keyring);
|
|
if (ret < 0)
|
|
return ret;
|
|
break;
|
|
|
|
case KEY_REQKEY_DEFL_USER_KEYRING:
|
|
ret = look_up_user_keyrings(&dest_keyring, NULL);
|
|
if (ret < 0)
|
|
return ret;
|
|
break;
|
|
|
|
case KEY_REQKEY_DEFL_GROUP_KEYRING:
|
|
default:
|
|
BUG();
|
|
}
|
|
|
|
/*
|
|
* Require Write permission on the keyring. This is essential
|
|
* because the default keyring may be the session keyring, and
|
|
* joining a keyring only requires Search permission.
|
|
*
|
|
* However, this check is skipped for the "requestor keyring" so
|
|
* that /sbin/request-key can itself use request_key() to add
|
|
* keys to the original requestor's destination keyring.
|
|
*/
|
|
if (dest_keyring && do_perm_check) {
|
|
ret = key_permission(make_key_ref(dest_keyring, 1),
|
|
KEY_NEED_WRITE);
|
|
if (ret) {
|
|
key_put(dest_keyring);
|
|
return ret;
|
|
}
|
|
}
|
|
}
|
|
|
|
*_dest_keyring = dest_keyring;
|
|
kleave(" [dk %d]", key_serial(dest_keyring));
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Allocate a new key in under-construction state and attempt to link it in to
|
|
* the requested keyring.
|
|
*
|
|
* May return a key that's already under construction instead if there was a
|
|
* race between two thread calling request_key().
|
|
*/
|
|
static int construct_alloc_key(struct keyring_search_context *ctx,
|
|
struct key *dest_keyring,
|
|
unsigned long flags,
|
|
struct key_user *user,
|
|
struct key **_key)
|
|
{
|
|
struct assoc_array_edit *edit = NULL;
|
|
struct key *key;
|
|
key_perm_t perm;
|
|
key_ref_t key_ref;
|
|
int ret;
|
|
|
|
kenter("%s,%s,,,",
|
|
ctx->index_key.type->name, ctx->index_key.description);
|
|
|
|
*_key = NULL;
|
|
mutex_lock(&user->cons_lock);
|
|
|
|
perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
|
|
perm |= KEY_USR_VIEW;
|
|
if (ctx->index_key.type->read)
|
|
perm |= KEY_POS_READ;
|
|
if (ctx->index_key.type == &key_type_keyring ||
|
|
ctx->index_key.type->update)
|
|
perm |= KEY_POS_WRITE;
|
|
|
|
key = key_alloc(ctx->index_key.type, ctx->index_key.description,
|
|
ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
|
|
perm, flags, NULL);
|
|
if (IS_ERR(key))
|
|
goto alloc_failed;
|
|
|
|
set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
|
|
|
|
if (dest_keyring) {
|
|
ret = __key_link_lock(dest_keyring, &key->index_key);
|
|
if (ret < 0)
|
|
goto link_lock_failed;
|
|
}
|
|
|
|
/*
|
|
* Attach the key to the destination keyring under lock, but we do need
|
|
* to do another check just in case someone beat us to it whilst we
|
|
* waited for locks.
|
|
*
|
|
* The caller might specify a comparison function which looks for keys
|
|
* that do not exactly match but are still equivalent from the caller's
|
|
* perspective. The __key_link_begin() operation must be done only after
|
|
* an actual key is determined.
|
|
*/
|
|
mutex_lock(&key_construction_mutex);
|
|
|
|
rcu_read_lock();
|
|
key_ref = search_process_keyrings_rcu(ctx);
|
|
rcu_read_unlock();
|
|
if (!IS_ERR(key_ref))
|
|
goto key_already_present;
|
|
|
|
if (dest_keyring) {
|
|
ret = __key_link_begin(dest_keyring, &key->index_key, &edit);
|
|
if (ret < 0)
|
|
goto link_alloc_failed;
|
|
__key_link(dest_keyring, key, &edit);
|
|
}
|
|
|
|
mutex_unlock(&key_construction_mutex);
|
|
if (dest_keyring)
|
|
__key_link_end(dest_keyring, &key->index_key, edit);
|
|
mutex_unlock(&user->cons_lock);
|
|
*_key = key;
|
|
kleave(" = 0 [%d]", key_serial(key));
|
|
return 0;
|
|
|
|
/* the key is now present - we tell the caller that we found it by
|
|
* returning -EINPROGRESS */
|
|
key_already_present:
|
|
key_put(key);
|
|
mutex_unlock(&key_construction_mutex);
|
|
key = key_ref_to_ptr(key_ref);
|
|
if (dest_keyring) {
|
|
ret = __key_link_begin(dest_keyring, &key->index_key, &edit);
|
|
if (ret < 0)
|
|
goto link_alloc_failed_unlocked;
|
|
ret = __key_link_check_live_key(dest_keyring, key);
|
|
if (ret == 0)
|
|
__key_link(dest_keyring, key, &edit);
|
|
__key_link_end(dest_keyring, &key->index_key, edit);
|
|
if (ret < 0)
|
|
goto link_check_failed;
|
|
}
|
|
mutex_unlock(&user->cons_lock);
|
|
*_key = key;
|
|
kleave(" = -EINPROGRESS [%d]", key_serial(key));
|
|
return -EINPROGRESS;
|
|
|
|
link_check_failed:
|
|
mutex_unlock(&user->cons_lock);
|
|
key_put(key);
|
|
kleave(" = %d [linkcheck]", ret);
|
|
return ret;
|
|
|
|
link_alloc_failed:
|
|
mutex_unlock(&key_construction_mutex);
|
|
link_alloc_failed_unlocked:
|
|
__key_link_end(dest_keyring, &key->index_key, edit);
|
|
link_lock_failed:
|
|
mutex_unlock(&user->cons_lock);
|
|
key_put(key);
|
|
kleave(" = %d [prelink]", ret);
|
|
return ret;
|
|
|
|
alloc_failed:
|
|
mutex_unlock(&user->cons_lock);
|
|
kleave(" = %ld", PTR_ERR(key));
|
|
return PTR_ERR(key);
|
|
}
|
|
|
|
/*
|
|
* Commence key construction.
|
|
*/
|
|
static struct key *construct_key_and_link(struct keyring_search_context *ctx,
|
|
const char *callout_info,
|
|
size_t callout_len,
|
|
void *aux,
|
|
struct key *dest_keyring,
|
|
unsigned long flags)
|
|
{
|
|
struct key_user *user;
|
|
struct key *key;
|
|
int ret;
|
|
|
|
kenter("");
|
|
|
|
if (ctx->index_key.type == &key_type_keyring)
|
|
return ERR_PTR(-EPERM);
|
|
|
|
ret = construct_get_dest_keyring(&dest_keyring);
|
|
if (ret)
|
|
goto error;
|
|
|
|
user = key_user_lookup(current_fsuid());
|
|
if (!user) {
|
|
ret = -ENOMEM;
|
|
goto error_put_dest_keyring;
|
|
}
|
|
|
|
ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
|
|
key_user_put(user);
|
|
|
|
if (ret == 0) {
|
|
ret = construct_key(key, callout_info, callout_len, aux,
|
|
dest_keyring);
|
|
if (ret < 0) {
|
|
kdebug("cons failed");
|
|
goto construction_failed;
|
|
}
|
|
} else if (ret == -EINPROGRESS) {
|
|
ret = 0;
|
|
} else {
|
|
goto error_put_dest_keyring;
|
|
}
|
|
|
|
key_put(dest_keyring);
|
|
kleave(" = key %d", key_serial(key));
|
|
return key;
|
|
|
|
construction_failed:
|
|
key_negate_and_link(key, key_negative_timeout, NULL, NULL);
|
|
key_put(key);
|
|
error_put_dest_keyring:
|
|
key_put(dest_keyring);
|
|
error:
|
|
kleave(" = %d", ret);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
/**
|
|
* request_key_and_link - Request a key and cache it in a keyring.
|
|
* @type: The type of key we want.
|
|
* @description: The searchable description of the key.
|
|
* @domain_tag: The domain in which the key operates.
|
|
* @callout_info: The data to pass to the instantiation upcall (or NULL).
|
|
* @callout_len: The length of callout_info.
|
|
* @aux: Auxiliary data for the upcall.
|
|
* @dest_keyring: Where to cache the key.
|
|
* @flags: Flags to key_alloc().
|
|
*
|
|
* A key matching the specified criteria (type, description, domain_tag) is
|
|
* searched for in the process's keyrings and returned with its usage count
|
|
* incremented if found. Otherwise, if callout_info is not NULL, a key will be
|
|
* allocated and some service (probably in userspace) will be asked to
|
|
* instantiate it.
|
|
*
|
|
* If successfully found or created, the key will be linked to the destination
|
|
* keyring if one is provided.
|
|
*
|
|
* Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
|
|
* or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
|
|
* found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
|
|
* if insufficient key quota was available to create a new key; or -ENOMEM if
|
|
* insufficient memory was available.
|
|
*
|
|
* If the returned key was created, then it may still be under construction,
|
|
* and wait_for_key_construction() should be used to wait for that to complete.
|
|
*/
|
|
struct key *request_key_and_link(struct key_type *type,
|
|
const char *description,
|
|
struct key_tag *domain_tag,
|
|
const void *callout_info,
|
|
size_t callout_len,
|
|
void *aux,
|
|
struct key *dest_keyring,
|
|
unsigned long flags)
|
|
{
|
|
struct keyring_search_context ctx = {
|
|
.index_key.type = type,
|
|
.index_key.domain_tag = domain_tag,
|
|
.index_key.description = description,
|
|
.index_key.desc_len = strlen(description),
|
|
.cred = current_cred(),
|
|
.match_data.cmp = key_default_cmp,
|
|
.match_data.raw_data = description,
|
|
.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
|
|
.flags = (KEYRING_SEARCH_DO_STATE_CHECK |
|
|
KEYRING_SEARCH_SKIP_EXPIRED |
|
|
KEYRING_SEARCH_RECURSE),
|
|
};
|
|
struct key *key;
|
|
key_ref_t key_ref;
|
|
int ret;
|
|
|
|
kenter("%s,%s,%p,%zu,%p,%p,%lx",
|
|
ctx.index_key.type->name, ctx.index_key.description,
|
|
callout_info, callout_len, aux, dest_keyring, flags);
|
|
|
|
if (type->match_preparse) {
|
|
ret = type->match_preparse(&ctx.match_data);
|
|
if (ret < 0) {
|
|
key = ERR_PTR(ret);
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
key = check_cached_key(&ctx);
|
|
if (key)
|
|
goto error_free;
|
|
|
|
/* search all the process keyrings for a key */
|
|
rcu_read_lock();
|
|
key_ref = search_process_keyrings_rcu(&ctx);
|
|
rcu_read_unlock();
|
|
|
|
if (!IS_ERR(key_ref)) {
|
|
if (dest_keyring) {
|
|
ret = key_task_permission(key_ref, current_cred(),
|
|
KEY_NEED_LINK);
|
|
if (ret < 0) {
|
|
key_ref_put(key_ref);
|
|
key = ERR_PTR(ret);
|
|
goto error_free;
|
|
}
|
|
}
|
|
|
|
key = key_ref_to_ptr(key_ref);
|
|
if (dest_keyring) {
|
|
ret = key_link(dest_keyring, key);
|
|
if (ret < 0) {
|
|
key_put(key);
|
|
key = ERR_PTR(ret);
|
|
goto error_free;
|
|
}
|
|
}
|
|
|
|
/* Only cache the key on immediate success */
|
|
cache_requested_key(key);
|
|
} else if (PTR_ERR(key_ref) != -EAGAIN) {
|
|
key = ERR_CAST(key_ref);
|
|
} else {
|
|
/* the search failed, but the keyrings were searchable, so we
|
|
* should consult userspace if we can */
|
|
key = ERR_PTR(-ENOKEY);
|
|
if (!callout_info)
|
|
goto error_free;
|
|
|
|
key = construct_key_and_link(&ctx, callout_info, callout_len,
|
|
aux, dest_keyring, flags);
|
|
}
|
|
|
|
error_free:
|
|
if (type->match_free)
|
|
type->match_free(&ctx.match_data);
|
|
error:
|
|
kleave(" = %p", key);
|
|
return key;
|
|
}
|
|
|
|
/**
|
|
* wait_for_key_construction - Wait for construction of a key to complete
|
|
* @key: The key being waited for.
|
|
* @intr: Whether to wait interruptibly.
|
|
*
|
|
* Wait for a key to finish being constructed.
|
|
*
|
|
* Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
|
|
* if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
|
|
* revoked or expired.
|
|
*/
|
|
int wait_for_key_construction(struct key *key, bool intr)
|
|
{
|
|
int ret;
|
|
|
|
ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
|
|
intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
|
|
if (ret)
|
|
return -ERESTARTSYS;
|
|
ret = key_read_state(key);
|
|
if (ret < 0)
|
|
return ret;
|
|
return key_validate(key);
|
|
}
|
|
EXPORT_SYMBOL(wait_for_key_construction);
|
|
|
|
/**
|
|
* request_key_tag - Request a key and wait for construction
|
|
* @type: Type of key.
|
|
* @description: The searchable description of the key.
|
|
* @domain_tag: The domain in which the key operates.
|
|
* @callout_info: The data to pass to the instantiation upcall (or NULL).
|
|
*
|
|
* As for request_key_and_link() except that it does not add the returned key
|
|
* to a keyring if found, new keys are always allocated in the user's quota,
|
|
* the callout_info must be a NUL-terminated string and no auxiliary data can
|
|
* be passed.
|
|
*
|
|
* Furthermore, it then works as wait_for_key_construction() to wait for the
|
|
* completion of keys undergoing construction with a non-interruptible wait.
|
|
*/
|
|
struct key *request_key_tag(struct key_type *type,
|
|
const char *description,
|
|
struct key_tag *domain_tag,
|
|
const char *callout_info)
|
|
{
|
|
struct key *key;
|
|
size_t callout_len = 0;
|
|
int ret;
|
|
|
|
if (callout_info)
|
|
callout_len = strlen(callout_info);
|
|
key = request_key_and_link(type, description, domain_tag,
|
|
callout_info, callout_len,
|
|
NULL, NULL, KEY_ALLOC_IN_QUOTA);
|
|
if (!IS_ERR(key)) {
|
|
ret = wait_for_key_construction(key, false);
|
|
if (ret < 0) {
|
|
key_put(key);
|
|
return ERR_PTR(ret);
|
|
}
|
|
}
|
|
return key;
|
|
}
|
|
EXPORT_SYMBOL(request_key_tag);
|
|
|
|
/**
|
|
* request_key_with_auxdata - Request a key with auxiliary data for the upcaller
|
|
* @type: The type of key we want.
|
|
* @description: The searchable description of the key.
|
|
* @domain_tag: The domain in which the key operates.
|
|
* @callout_info: The data to pass to the instantiation upcall (or NULL).
|
|
* @callout_len: The length of callout_info.
|
|
* @aux: Auxiliary data for the upcall.
|
|
*
|
|
* As for request_key_and_link() except that it does not add the returned key
|
|
* to a keyring if found and new keys are always allocated in the user's quota.
|
|
*
|
|
* Furthermore, it then works as wait_for_key_construction() to wait for the
|
|
* completion of keys undergoing construction with a non-interruptible wait.
|
|
*/
|
|
struct key *request_key_with_auxdata(struct key_type *type,
|
|
const char *description,
|
|
struct key_tag *domain_tag,
|
|
const void *callout_info,
|
|
size_t callout_len,
|
|
void *aux)
|
|
{
|
|
struct key *key;
|
|
int ret;
|
|
|
|
key = request_key_and_link(type, description, domain_tag,
|
|
callout_info, callout_len,
|
|
aux, NULL, KEY_ALLOC_IN_QUOTA);
|
|
if (!IS_ERR(key)) {
|
|
ret = wait_for_key_construction(key, false);
|
|
if (ret < 0) {
|
|
key_put(key);
|
|
return ERR_PTR(ret);
|
|
}
|
|
}
|
|
return key;
|
|
}
|
|
EXPORT_SYMBOL(request_key_with_auxdata);
|
|
|
|
/**
|
|
* request_key_rcu - Request key from RCU-read-locked context
|
|
* @type: The type of key we want.
|
|
* @description: The name of the key we want.
|
|
* @domain_tag: The domain in which the key operates.
|
|
*
|
|
* Request a key from a context that we may not sleep in (such as RCU-mode
|
|
* pathwalk). Keys under construction are ignored.
|
|
*
|
|
* Return a pointer to the found key if successful, -ENOKEY if we couldn't find
|
|
* a key or some other error if the key found was unsuitable or inaccessible.
|
|
*/
|
|
struct key *request_key_rcu(struct key_type *type,
|
|
const char *description,
|
|
struct key_tag *domain_tag)
|
|
{
|
|
struct keyring_search_context ctx = {
|
|
.index_key.type = type,
|
|
.index_key.domain_tag = domain_tag,
|
|
.index_key.description = description,
|
|
.index_key.desc_len = strlen(description),
|
|
.cred = current_cred(),
|
|
.match_data.cmp = key_default_cmp,
|
|
.match_data.raw_data = description,
|
|
.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
|
|
.flags = (KEYRING_SEARCH_DO_STATE_CHECK |
|
|
KEYRING_SEARCH_SKIP_EXPIRED),
|
|
};
|
|
struct key *key;
|
|
key_ref_t key_ref;
|
|
|
|
kenter("%s,%s", type->name, description);
|
|
|
|
key = check_cached_key(&ctx);
|
|
if (key)
|
|
return key;
|
|
|
|
/* search all the process keyrings for a key */
|
|
key_ref = search_process_keyrings_rcu(&ctx);
|
|
if (IS_ERR(key_ref)) {
|
|
key = ERR_CAST(key_ref);
|
|
if (PTR_ERR(key_ref) == -EAGAIN)
|
|
key = ERR_PTR(-ENOKEY);
|
|
} else {
|
|
key = key_ref_to_ptr(key_ref);
|
|
cache_requested_key(key);
|
|
}
|
|
|
|
kleave(" = %p", key);
|
|
return key;
|
|
}
|
|
EXPORT_SYMBOL(request_key_rcu);
|