2 files changed, 25 insertions, 8 deletions
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
index 9c351bf757b2..3fbc0ff79699 100644
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
 static inline struct ecryptfs_auth_tok *
 ecryptfs_get_encrypted_key_payload_data(struct key *key)
 {
-        if (key->type == &key_type_encrypted)
+        struct encrypted_key_payload *payload;
-                return (struct ecryptfs_auth_tok *)
-                        (&((struct encrypted_key_payload *)key->payload.data[0])->payload_data);
+        if (key->type != &key_type_encrypted)
-        else
                return NULL;
+        payload = key->payload.data[0];
+        if (!payload)
+                return ERR_PTR(-EKEYREVOKED);
+        return (struct ecryptfs_auth_tok *)payload->payload_data;
 }
 static inline struct key *ecryptfs_get_encrypted_key(char *sig)
@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok *
 ecryptfs_get_key_payload_data(struct key *key)
 {
        struct ecryptfs_auth_tok *auth_tok;
+        struct user_key_payload *ukp;
        auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
-        if (!auth_tok)
+        if (auth_tok)
-                return (struct ecryptfs_auth_tok *)user_key_payload_locked(key)->data;
-        else
                return auth_tok;
+        ukp = user_key_payload_locked(key);
+        if (!ukp)
+                return ERR_PTR(-EKEYREVOKED);
+        return (struct ecryptfs_auth_tok *)ukp->data;
 }
 #define ECRYPTFS_MAX_KEYSET_SIZE 1024
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 3cf1546dca82..fa218cd64f74 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -459,7 +459,8 @@ out:
 * @auth_tok_key: key containing the authentication token
 * @auth_tok: authentication token
 *
- * Returns zero on valid auth tok; -EINVAL otherwise
+ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
+ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
 */
 static int
 ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
        int rc = 0;
        (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
+        if (IS_ERR(*auth_tok)) {
+                rc = PTR_ERR(*auth_tok);
+                *auth_tok = NULL;
+                goto out;
+        }
        if (ecryptfs_verify_version((*auth_tok)->version)) {
                printk(KERN_ERR "Data structure version mismatch. Userspace "
                       "tools must match eCryptfs kernel module with major "

diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h index 9c351bf757b2..3fbc0ff79699 100644 --- a/fs/ecryptfs/ecryptfs_kernel.h +++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
84	static inline struct ecryptfs_auth_tok *	84	static inline struct ecryptfs_auth_tok *
85	ecryptfs_get_encrypted_key_payload_data(struct key *key)	85	ecryptfs_get_encrypted_key_payload_data(struct key *key)
86	{	86	{
87	if (key->type == &key_type_encrypted)	87	struct encrypted_key_payload *payload;
88	return (struct ecryptfs_auth_tok *)	88
89	(&((struct encrypted_key_payload *)key->payload.data[0])->payload_data);	89	if (key->type != &key_type_encrypted)
90	else
91	return NULL;	90	return NULL;
		91
		92	payload = key->payload.data[0];
		93	if (!payload)
		94	return ERR_PTR(-EKEYREVOKED);
		95
		96	return (struct ecryptfs_auth_tok *)payload->payload_data;
92	}	97	}
93		98
94	static inline struct key ecryptfs_get_encrypted_key(char sig)	99	static inline struct key ecryptfs_get_encrypted_key(char sig)
@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok *
114	ecryptfs_get_key_payload_data(struct key *key)	119	ecryptfs_get_key_payload_data(struct key *key)
115	{	120	{
116	struct ecryptfs_auth_tok *auth_tok;	121	struct ecryptfs_auth_tok *auth_tok;
		122	struct user_key_payload *ukp;
117		123
118	auth_tok = ecryptfs_get_encrypted_key_payload_data(key);	124	auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
119	if (!auth_tok)	125	if (auth_tok)
120	return (struct ecryptfs_auth_tok *)user_key_payload_locked(key)->data;
121	else
122	return auth_tok;	126	return auth_tok;
		127
		128	ukp = user_key_payload_locked(key);
		129	if (!ukp)
		130	return ERR_PTR(-EKEYREVOKED);
		131
		132	return (struct ecryptfs_auth_tok *)ukp->data;
123	}	133	}
124		134
125	#define ECRYPTFS_MAX_KEYSET_SIZE 1024	135	#define ECRYPTFS_MAX_KEYSET_SIZE 1024


diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 3cf1546dca82..fa218cd64f74 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c
@@ -459,7 +459,8 @@ out:
459	* @auth_tok_key: key containing the authentication token	459	* @auth_tok_key: key containing the authentication token
460	* @auth_tok: authentication token	460	* @auth_tok: authentication token
461	*	461	*
462	* Returns zero on valid auth tok; -EINVAL otherwise	462	* Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
		463	* -EKEYREVOKED if the key was revoked before we acquired its semaphore.
463	*/	464	*/
464	static int	465	static int
465	ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,	466	ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
468	int rc = 0;	469	int rc = 0;
469		470
470	(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);	471	(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
		472	if (IS_ERR(*auth_tok)) {
		473	rc = PTR_ERR(*auth_tok);
		474	*auth_tok = NULL;
		475	goto out;
		476	}
		477
471	if (ecryptfs_verify_version((*auth_tok)->version)) {	478	if (ecryptfs_verify_version((*auth_tok)->version)) {
472	printk(KERN_ERR "Data structure version mismatch. Userspace "	479	printk(KERN_ERR "Data structure version mismatch. Userspace "
473	"tools must match eCryptfs kernel module with major "	480	"tools must match eCryptfs kernel module with major "