From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38509 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753694AbdKKMzG (ORCPT ); Sat, 11 Nov 2017 07:55:06 -0500 Date: Sat, 11 Nov 2017 13:55:06 +0100 From: Greg KH To: Eric Biggers Cc: stable@vger.kernel.org, ben@decadent.org.uk, dhowells@redhat.com, james.l.morris@oracle.com, zohar@linux.vnet.ibm.com Subject: Re: [PATCH 2/2] KEYS: trusted: fix writing past end of buffer in trusted_read() Message-ID: <20171111125506.GB20003@kroah.com> References: <20171110192851.136444-1-ebiggers@google.com> <20171110192851.136444-2-ebiggers@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171110192851.136444-2-ebiggers@google.com> Sender: stable-owner@vger.kernel.org List-ID: On Fri, Nov 10, 2017 at 11:28:51AM -0800, Eric Biggers wrote: > commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream. > [Please apply to 3.18-stable.] > > When calling keyctl_read() on a key of type "trusted", if the > user-supplied buffer was too small, the kernel ignored the buffer length > and just wrote past the end of the buffer, potentially corrupting > userspace memory. Fix it by instead returning the size required, as per > the documentation for keyctl_read(). > > We also don't even fill the buffer at all in this case, as this is > slightly easier to implement than doing a short read, and either > behavior appears to be permitted. It also makes it match the behavior > of the "encrypted" key type. > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > Reported-by: Ben Hutchings > Cc: # v2.6.38+ > Signed-off-by: Eric Biggers > Signed-off-by: David Howells > Reviewed-by: Mimi Zohar > Reviewed-by: James Morris > Signed-off-by: James Morris > --- > security/keys/trusted.c | 23 ++++++++++++----------- > 1 file changed, 12 insertions(+), 11 deletions(-) Thanks for both of these, now queued up. greg k-h