From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from aserp1040.oracle.com ([141.146.126.69]:17157 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751530AbdJ0IEw (ORCPT
        <rfc822;stable@vger.kernel.org>); Fri, 27 Oct 2017 04:04:52 -0400
Date: Fri, 27 Oct 2017 10:04:31 +0200 (CEST)
From: James Morris <james.l.morris@oracle.com>
To: Eric Biggers <ebiggers3@gmail.com>
cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
        Ben Hutchings <ben@decadent.org.uk>,
        Xiao Yang <yangx.jy@cn.fujitsu.com>,
        Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: return full count in keyring_read() if buffer is
 too small
In-Reply-To: <20171026205644.105471-1-ebiggers3@gmail.com>
Message-ID: <alpine.LFD.2.20.1710271004150.3746@localhost>
References: <20171026205644.105471-1-ebiggers3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, 26 Oct 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
> 
> Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
> in keyring_read()") made keyring_read() stop corrupting userspace memory
> when the user-supplied buffer is too small.  However it also made the
> return value in that case be the short buffer size rather than the size
> required, yet keyctl_read() is actually documented to return the size
> required.  Therefore, switch it over to the documented behavior.
> 
> Note that for now we continue to have it fill the short buffer, since it
> did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
> relies on it.
> 
> Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
> Reported-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: <stable@vger.kernel.org> # v3.13+
> Signed-off-by: Eric Biggers <ebiggers@google.com>


Reviewed-by: James Morris <james.l.morris@oracle.com>

-- 
James Morris
<james.l.morris@oracle.com>