From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ben Hutchings <ben@decadent.org.uk>,
Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 3.18 05/27] KEYS: return full count in keyring_read() if buffer is too small
Date: Mon, 6 Nov 2017 12:27:50 +0100 [thread overview]
Message-ID: <20171106112736.822997452@linuxfoundation.org> (raw)
In-Reply-To: <20171106112736.529730803@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream.
Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
in keyring_read()") made keyring_read() stop corrupting userspace memory
when the user-supplied buffer is too small. However it also made the
return value in that case be the short buffer size rather than the size
required, yet keyctl_read() is actually documented to return the size
required. Therefore, switch it over to the documented behavior.
Note that for now we continue to have it fill the short buffer, since it
did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
relies on it.
Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/keyring.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -452,34 +452,33 @@ static long keyring_read(const struct ke
char __user *buffer, size_t buflen)
{
struct keyring_read_iterator_context ctx;
- unsigned long nr_keys;
- int ret;
+ long ret;
kenter("{%d},,%zu", key_serial(keyring), buflen);
if (buflen & (sizeof(key_serial_t) - 1))
return -EINVAL;
- nr_keys = keyring->keys.nr_leaves_on_tree;
- if (nr_keys == 0)
- return 0;
-
- /* Calculate how much data we could return */
- if (!buffer || !buflen)
- return nr_keys * sizeof(key_serial_t);
-
- /* Copy the IDs of the subscribed keys into the buffer */
- ctx.buffer = (key_serial_t __user *)buffer;
- ctx.buflen = buflen;
- ctx.count = 0;
- ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
- if (ret < 0) {
- kleave(" = %d [iterate]", ret);
- return ret;
+ /* Copy as many key IDs as fit into the buffer */
+ if (buffer && buflen) {
+ ctx.buffer = (key_serial_t __user *)buffer;
+ ctx.buflen = buflen;
+ ctx.count = 0;
+ ret = assoc_array_iterate(&keyring->keys,
+ keyring_read_iterator, &ctx);
+ if (ret < 0) {
+ kleave(" = %ld [iterate]", ret);
+ return ret;
+ }
}
- kleave(" = %zu [ok]", ctx.count);
- return ctx.count;
+ /* Return the size of the buffer needed */
+ ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
+ if (ret <= buflen)
+ kleave("= %ld [ok]", ret);
+ else
+ kleave("= %ld [buffer too small]", ret);
+ return ret;
}
/*
next prev parent reply other threads:[~2017-11-06 11:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 11:27 [PATCH 3.18 00/27] 3.18.80-stable review Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 01/27] blk-mq: fix race between timeout and freeing request Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 02/27] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 03/27] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 04/27] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 11:27 ` Greg Kroah-Hartman [this message]
2017-11-06 11:27 ` [PATCH 3.18 06/27] KEYS: fix out-of-bounds read during ASN.1 parsing Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 07/27] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 08/27] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 09/27] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 10/27] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 11/27] drm/msm: Fix potential buffer overflow issue Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 12/27] drm/msm: fix an integer overflow test Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 13/27] x86/microcode/intel: Disable late loading on model 79 Greg Kroah-Hartman
2017-11-06 11:27 ` [PATCH 3.18 14/27] mmc: s3cmci: include linux/interrupt.h for tasklet_struct Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 15/27] staging: rtl8712u: Fix endian settings for structs describing network packets Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 16/27] ext4: fix stripe-unaligned allocations Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 17/27] ext4: do not use stripe_width if it is not set Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 18/27] i2c: riic: correctly finish transfers Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 19/27] cx231xx: Fix I2C on Internal Master 3 Bus Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 20/27] xen/manage: correct return value check on xenbus_scanf() Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 21/27] platform/x86: intel_mid_thermal: Fix module autoload Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 22/27] staging: lustre: hsm: stack overrun in hai_dump_data_field Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 23/27] staging: lustre: ptlrpc: skip lock if export failed Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 24/27] s390/dasd: check for device error pointer within state change interrupts Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 25/27] bt8xx: fix memory leak Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 26/27] xen: dont print error message in case of missing Xenstore entry Greg Kroah-Hartman
2017-11-06 11:28 ` [PATCH 3.18 27/27] staging: r8712u: Fix Sparse warning in rtl871x_xmit.c Greg Kroah-Hartman
2017-11-06 14:35 ` [PATCH 3.18 00/27] 3.18.80-stable review Guenter Roeck
2017-11-06 14:44 ` Greg Kroah-Hartman
[not found] ` <CALpmF+H7QrgQDWdYCHHMD-kpxCrPVp14T72p51L8gNWfNq2x1g@mail.gmail.com>
2017-11-07 10:34 ` Greg Kroah-Hartman
2017-11-06 21:16 ` Guenter Roeck
2017-11-07 10:34 ` Greg Kroah-Hartman
2017-11-06 21:57 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106112736.822997452@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox