Re: [PATCH 4.4 11/41] KEYS: fix writing past end of user-supplied buffer in keyring_read()

From: Eric Biggers
Date: Mon Oct 16 2017 - 14:12:16 EST


On Mon, Oct 16, 2017 at 04:47:34PM +0100, Ben Hutchings wrote:
> On Tue, 2017-10-03 at 14:21 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
> >
> > Userspace can call keyctl_read() on a keyring to get the list of IDs of
> > keys in the keyring.  But if the user-supplied buffer is too small, the
> > kernel would write the full list anyway --- which will corrupt whatever
> > userspace memory happened to be past the end of the buffer.  Fix it by
> > only filling the space that is available.
> [...]
>
> trusted_read() has the same bug.
>
> Also, the comment above keyctl_read_key() says "return the amount of
> data that is available in the key, irrespective of how much we copied
> into the buffer." All the other implementations of key_type::read seem
> to follow that, but this changes keyring_read() to return buflen in
> case of a truncated read.
>

Hi Ben, thanks for pointing this out. I had assumed the "obvious" semantics,
but it turns out that's not what's documented. And actually the comment above
keyctl_read_key() might be wrong too, since the man page says that nothing is
copied if the buffer is too small... David, which behavior was intended? Some
of the ->read() methods will fill a too-small buffer, while others don't.

I think this bug isn't *too* bad since the short return will only be encountered
in cases where the kernel would have corrupted userspace memory before. But
I'll send a patch to fix it.

And yes, trusted_read() is ignoring 'buflen' which is a bug too; I'll see if I
can fix that too...

Eric