[PATCH] KEYS: trusted: fix writing past end of buffer in trusted_read()
James Morris
james.l.morris at oracle.com
Fri Oct 27 07:55:39 UTC 2017
On Thu, 26 Oct 2017, Eric Biggers wrote:
> From: Eric Biggers <ebiggers at google.com>
>
> When calling keyctl_read() on a key of type "trusted", if the
> user-supplied buffer was too small, the kernel ignored the buffer length
> and just wrote past the end of the buffer, potentially corrupting
> userspace memory. Fix it by instead returning the size required, as per
> the documentation for keyctl_read().
>
> We also don't even fill the buffer at all in this case, as this is
> slightly easier to implement than doing a short read, and either
> behavior appears to be permitted. It also makes it match the behavior
> of the "encrypted" key type.
>
> Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
> Reported-by: Ben Hutchings <ben at decadent.org.uk>
> Cc: <stable at vger.kernel.org> # v2.6.38+
> Signed-off-by: Eric Biggers <ebiggers at google.com>
Reviewed-by: James Morris <james.l.morris at oracle.com>
--
James Morris
<james.l.morris at oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list