[PATCH 1/7] lib: Fix a couple of potential signed oveflows

From: David Howells
Date: Fri Aug 22 2025 - 10:36:24 EST

Next message: Jan Kara: "Re: [PATCH] fs: Use try_cmpxchg() in sb_init_done_wq()"
Previous message: David Howells: "[PATCH 5/7] request-key: Add help text"
In reply to: Jarkko Sakkinen: "Re: [PATCH 5/7] request-key: Add help text"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 1/7] lib: Fix a couple of potential signed oveflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix keyctl_read_alloc() to check for a potential unsigned overflow when we
allocate a buffer with an extra byte added on the end for a NUL.

Fix keyctl_dh_compute_alloc() for the same thing.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---
keyutils.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/keyutils.c b/keyutils.c
index 37b6cc3..fd02cda 100644
--- a/keyutils.c
+++ b/keyutils.c
@@ -18,6 +18,7 @@
#include <dlfcn.h>
#include <sys/uio.h>
#include <errno.h>
+#include <limits.h>
#include <asm/unistd.h>
#include "keyutils.h"

@@ -442,6 +443,8 @@ int keyctl_read_alloc(key_serial_t id, void **_buffer)
return -1;

for (;;) {
+ if (ret == LONG_MAX)
+ return -EFBIG; /* Don't let buflen+1 overflow. */
buflen = ret;
buf = malloc(buflen + 1);
if (!buf)
@@ -515,6 +518,8 @@ int keyctl_dh_compute_alloc(key_serial_t priv, key_serial_t prime,
if (ret < 0)
return -1;

+ if (ret == LONG_MAX)
+ return -EFBIG; /* Don't let buflen+1 overflow. */
buflen = ret;
buf = malloc(buflen + 1);
if (!buf)

Next message: Jan Kara: "Re: [PATCH] fs: Use try_cmpxchg() in sb_init_done_wq()"
Previous message: David Howells: "[PATCH 5/7] request-key: Add help text"
In reply to: Jarkko Sakkinen: "Re: [PATCH 5/7] request-key: Add help text"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 1/7] lib: Fix a couple of potential signed oveflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]