Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 47e8bd19 authored by Eric Biggers's avatar Eric Biggers Committed by Greg Kroah-Hartman
Browse files

KEYS: fix writing past end of user-supplied buffer in keyring_read() 



commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.

Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring.  But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer.  Fix it by
only filling the space that is available.

Fixes: b2a4df20 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0c70fb88

security/keys/keyring.c

+5 −9
Original line number Diff line number Diff line
@@ -416,7 +416,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) 
}



struct keyring_read_iterator_context {

	size_t			qty;

	size_t			buflen;

	size_t			count;

	key_serial_t __user	*buffer;

};
@@ -428,9 +428,9 @@ static int keyring_read_iterator(const void *object, void *data) 
	int ret;



	kenter("{%s,%d},,{%zu/%zu}",

	       key->type->name, key->serial, ctx->count, ctx->qty);

	       key->type->name, key->serial, ctx->count, ctx->buflen);



	if (ctx->count >= ctx->qty)

	if (ctx->count >= ctx->buflen)

		return 1;



	ret = put_user(key->serial, ctx->buffer);
@@ -465,16 +465,12 @@ static long keyring_read(const struct key *keyring, 
		return 0;



	/* Calculate how much data we could return */

	ctx.qty = nr_keys * sizeof(key_serial_t);



	if (!buffer || !buflen)

		return ctx.qty;



	if (buflen > ctx.qty)

		ctx.qty = buflen;

		return nr_keys * sizeof(key_serial_t);



	/* Copy the IDs of the subscribed keys into the buffer */

	ctx.buffer = (key_serial_t __user *)buffer;

	ctx.buflen = buflen;

	ctx.count = 0;

	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);

	if (ret < 0) {