| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1508168854.22379.25.camel@codethink.co.uk>
Date: Mon, 16 Oct 2017 16:47:34 +0100
From: Ben Hutchings <ben.hutchings@...ethink.co.uk>
To: Eric Biggers <ebiggers@...gle.com>,
David Howells <dhowells@...hat.com>
Cc: stable@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4.4 11/41] KEYS: fix writing past end of user-supplied
buffer in keyring_read()
On Tue, 2017-10-03 at 14:21 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
>
> Userspace can call keyctl_read() on a keyring to get the list of IDs of
> keys in the keyring. But if the user-supplied buffer is too small, the
> kernel would write the full list anyway --- which will corrupt whatever
> userspace memory happened to be past the end of the buffer. Fix it by
> only filling the space that is available.
[...]
trusted_read() has the same bug.
Also, the comment above keyctl_read_key() says "return the amount of
data that is available in the key, irrespective of how much we copied
into the buffer." All the other implementations of key_type::read seem
to follow that, but this changes keyring_read() to return buflen in
case of a truncated read.
Ben.
--
Ben Hutchings
Software Developer, Codethink Ltd.
Powered by blists - more mailing lists