| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200305211651.GA225345@gmail.com>
Date: Thu, 5 Mar 2020 13:16:51 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Waiman Long <longman@...hat.com>
Cc: David Howells <dhowells@...hat.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Mimi Zohar <zohar@...ux.ibm.com>, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org,
Sumit Garg <sumit.garg@...aro.org>,
Jerry Snitselaar <jsnitsel@...hat.com>,
Roberto Sassu <roberto.sassu@...wei.com>,
Chris von Recklinghausen <crecklin@...hat.com>
Subject: Re: [PATCH] KEYS: Don't write out to userspace while holding key
semaphore
On Thu, Mar 05, 2020 at 04:06:40PM -0500, Waiman Long wrote:
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 9b898c969558..564a4d187329 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -846,14 +846,36 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
> can_read_key:
> ret = -EOPNOTSUPP;
> if (key->type->read) {
> - /* Read the data with the semaphore held (since we might sleep)
> + /*
> + * Read the data with the semaphore held (since we might sleep)
> * to protect against the key being updated or revoked.
> + *
> + * Allocating a temporary buffer to hold the keys before
> + * transferring them to user buffer to avoid potential
> + * deadlock involving page fault and mmap_sem.
> */
> + char *tmpbuf = kmalloc(buflen, GFP_KERNEL);
This is passing an arbitrarily large size from userspace into kmalloc().
- Eric
Powered by blists - more mailing lists