On Tue, 2017-10-03 at 14:21 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Eric Biggers <[email protected]> > > commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream. > > Userspace can call keyctl_read() on a keyring to get the list of IDs of > keys in the keyring. But if the user-supplied buffer is too small, the > kernel would write the full list anyway --- which will corrupt whatever > userspace memory happened to be past the end of the buffer. Fix it by > only filling the space that is available. [...]
trusted_read() has the same bug. Also, the comment above keyctl_read_key() says "return the amount of data that is available in the key, irrespective of how much we copied into the buffer." All the other implementations of key_type::read seem to follow that, but this changes keyring_read() to return buflen in case of a truncated read. Ben. -- Ben Hutchings Software Developer, Codethink Ltd.
