From patchwork Mon Sep 18 18:36:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9957377 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 37F8B60385 for ; Mon, 18 Sep 2017 18:37:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B91C28D33 for ; Mon, 18 Sep 2017 18:37:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2079428D3B; Mon, 18 Sep 2017 18:37:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A84DF28D33 for ; Mon, 18 Sep 2017 18:36:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756701AbdIRSg6 (ORCPT ); Mon, 18 Sep 2017 14:36:58 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:32778 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754019AbdIRSg5 (ORCPT ); Mon, 18 Sep 2017 14:36:57 -0400 Received: by mail-pf0-f195.google.com with SMTP id h4so518203pfk.0; Mon, 18 Sep 2017 11:36:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=+l9lA41Bh0LEGIliJt7vAdBa8yaOdEdMzuZHEI7breo=; b=H4UQxSKo8ZbA2U7eXT91B0h0hkJIw3Q+zKahLG++dikL6YjI+/73OJ/0+zonsnPJRI 72+D5Rc8meOHSqfAWUPv3X0OwZWeiF+Dj8+EwA9a262VEyZQhQBDW0chzjYH4bwtrxJz i84pRpRoM7x2CSukapo3GSi/57ObVQ8CUUpX13OqvIB0GB3OVZNIf4AGt+L9ubkpyXxL ADs+WN+yzbc2ZaRPSwp6vw+N5vkbMxxqWVgGjEZFbNWTjS/giWm3jI4DG11cxW4VJi7F ofbWF/hVSTVsdCrF1VY2CVhhdRKQ7zlV8WAwdpVHxRx9z6y8DCdLejVMEjbwc6jd0IBs KNKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+l9lA41Bh0LEGIliJt7vAdBa8yaOdEdMzuZHEI7breo=; b=LfcXXSkMDvil/6AtE7znZWAV+tp8KG+ogn8DRxoUCdQadopQHvPLZWBcsGGheKSx9y A24tz+bt2aivUMmnYde+KKTfrr6EYEg2yD0GdsSG2BTd3ihH0ZXGQ6DVV2fowUxnmRNb yL/l0RnE18xl4DoTNdNEPlU/i0Z3vzhjurWBxpro9yOKl9VwdDXSSThweOhgqCUjzjU5 6ZzaXJIwh9Cd9rMfmr0PbQdrPFVm+SROEf/r8y3dskzBvf7Q2ULMNbJU/s2RC+bI6bH1 LUmH+xcCVCPS7E9DnNO/zSNCgFSZJHFe154vrSmaU9v0hE8G0dkP1Q5+MecmLRJMcQGK dL9Q== X-Gm-Message-State: AHPjjUgaiwkn5RZDDyVa0cjQUeTwC3kaL76CGX+W8Ots3fmt7p4IVNZl kq4jYVfJAJQpF3x+8UA= X-Google-Smtp-Source: ADKCNb7szBgRHBY7VdY2bFZpOFv87rVxbCD7Ta7PE4OJPbfdt9ImGt4G/MnbqMKtMKoqyHYewlGYbA== X-Received: by 10.99.126.84 with SMTP id o20mr32996241pgn.201.1505759816300; Mon, 18 Sep 2017 11:36:56 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id i87sm65057pfi.184.2017.09.18.11.36.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Sep 2017 11:36:55 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] KEYS: fix writing past end of user-supplied buffer in keyring_read() Date: Mon, 18 Sep 2017 11:36:45 -0700 Message-Id: <20170918183645.114070-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Userspace can call keyctl_read() on a keyring to get the list of IDs of keys in the keyring. But if the user-supplied buffer is too small, the kernel would write the full list anyway --- which will corrupt whatever userspace memory happened to be past the end of the buffer. Fix it by only filling the space that is available. Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Cc: [v3.13+] Signed-off-by: Eric Biggers --- security/keys/keyring.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d8d08bd9c159..4fa82a8a9c0e 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -423,7 +423,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) } struct keyring_read_iterator_context { - size_t qty; + size_t buflen; size_t count; key_serial_t __user *buffer; }; @@ -435,9 +435,9 @@ static int keyring_read_iterator(const void *object, void *data) int ret; kenter("{%s,%d},,{%zu/%zu}", - key->type->name, key->serial, ctx->count, ctx->qty); + key->type->name, key->serial, ctx->count, ctx->buflen); - if (ctx->count >= ctx->qty) + if (ctx->count >= ctx->buflen) return 1; ret = put_user(key->serial, ctx->buffer); @@ -472,16 +472,12 @@ static long keyring_read(const struct key *keyring, return 0; /* Calculate how much data we could return */ - ctx.qty = nr_keys * sizeof(key_serial_t); - if (!buffer || !buflen) - return ctx.qty; - - if (buflen > ctx.qty) - ctx.qty = buflen; + return nr_keys * sizeof(key_serial_t); /* Copy the IDs of the subscribed keys into the buffer */ ctx.buffer = (key_serial_t __user *)buffer; + ctx.buflen = buflen; ctx.count = 0; ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx); if (ret < 0) {