Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6d94074f authored by Davi Arnaut's avatar Davi Arnaut Committed by Linus Torvalds
Browse files

[PATCH] Fix keyctl usage of strnlen_user() 



In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.

Signed-off-by: default avatarDavi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 353368df

security/keys/keyctl.c

+10 −5
Original line number Original line Diff line number Diff line
@@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type, 
	description = kmalloc(dlen + 1, GFP_KERNEL);

	description = kmalloc(dlen + 1, GFP_KERNEL);

	if (!description)

	if (!description)

		goto error;

		goto error;

	description[dlen] = '\0';





	ret = -EFAULT;

	ret = -EFAULT;

	if (copy_from_user(description, _description, dlen + 1) != 0)

	if (copy_from_user(description, _description, dlen) != 0)

		goto error2;

		goto error2;





	/* pull the payload in if one was supplied */

	/* pull the payload in if one was supplied */
@@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type, 
	description = kmalloc(dlen + 1, GFP_KERNEL);

	description = kmalloc(dlen + 1, GFP_KERNEL);

	if (!description)

	if (!description)

		goto error;

		goto error;

	description[dlen] = '\0';





	ret = -EFAULT;

	ret = -EFAULT;

	if (copy_from_user(description, _description, dlen + 1) != 0)

	if (copy_from_user(description, _description, dlen) != 0)

		goto error2;

		goto error2;





	/* pull the callout info into kernel space */

	/* pull the callout info into kernel space */
@@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type, 
		callout_info = kmalloc(dlen + 1, GFP_KERNEL);

		callout_info = kmalloc(dlen + 1, GFP_KERNEL);

		if (!callout_info)

		if (!callout_info)

			goto error2;

			goto error2;

		callout_info[dlen] = '\0';





		ret = -EFAULT;

		ret = -EFAULT;

		if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0)

		if (copy_from_user(callout_info, _callout_info, dlen) != 0)

			goto error3;

			goto error3;

	}

	}
@@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name) 
		name = kmalloc(nlen + 1, GFP_KERNEL);

		name = kmalloc(nlen + 1, GFP_KERNEL);

		if (!name)

		if (!name)

			goto error;

			goto error;

		name[nlen] = '\0';





		ret = -EFAULT;

		ret = -EFAULT;

		if (copy_from_user(name, _name, nlen + 1) != 0)

		if (copy_from_user(name, _name, nlen) != 0)

			goto error2;

			goto error2;

	}

	}
@@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid, 
	description = kmalloc(dlen + 1, GFP_KERNEL);

	description = kmalloc(dlen + 1, GFP_KERNEL);

	if (!description)

	if (!description)

		goto error;

		goto error;

	description[dlen] = '\0';





	ret = -EFAULT;

	ret = -EFAULT;

	if (copy_from_user(description, _description, dlen + 1) != 0)

	if (copy_from_user(description, _description, dlen) != 0)

		goto error2;

		goto error2;





	/* get the keyring at which to begin the search */

	/* get the keyring at which to begin the search */