Re: [PATCH 4.4 11/41] KEYS: fix writing past end of user-supplied buffer in keyring_read()

From: Ben Hutchings
Date: Mon Oct 16 2017 - 11:47:43 EST


On Tue, 2017-10-03 at 14:21 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.ÂÂIf anyone has any objections, please let me know.
>
> ------------------
>
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
>
> Userspace can call keyctl_read() on a keyring to get the list of IDs of
> keys in the keyring.ÂÂBut if the user-supplied buffer is too small, the
> kernel would write the full list anyway --- which will corrupt whatever
> userspace memory happened to be past the end of the buffer.ÂÂFix it by
> only filling the space that is available.
[...]

trusted_read() has the same bug.

Also, the comment above keyctl_read_key() says "return the amount of
data that is available in the key, irrespective of how much we copied
into the buffer." All the other implementations of key_type::read seem
to follow that, but this changes keyring_read() to return buflen in
case of a truncated read.

Ben.

--
Ben Hutchings
Software Developer, Codethink Ltd.