| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250822142215.2475014-2-dhowells@redhat.com>
Date: Fri, 22 Aug 2025 15:22:08 +0100
From: David Howells <dhowells@...hat.com>
To: Jarkko Sakkinen <jarkko@...nel.org>
Cc: David Howells <dhowells@...hat.com>,
keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH 1/7] lib: Fix a couple of potential signed oveflows
Fix keyctl_read_alloc() to check for a potential unsigned overflow when we
allocate a buffer with an extra byte added on the end for a NUL.
Fix keyctl_dh_compute_alloc() for the same thing.
Signed-off-by: David Howells <dhowells@...hat.com>
---
keyutils.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/keyutils.c b/keyutils.c
index 37b6cc3..fd02cda 100644
--- a/keyutils.c
+++ b/keyutils.c
@@ -18,6 +18,7 @@
#include <dlfcn.h>
#include <sys/uio.h>
#include <errno.h>
+#include <limits.h>
#include <asm/unistd.h>
#include "keyutils.h"
@@ -442,6 +443,8 @@ int keyctl_read_alloc(key_serial_t id, void **_buffer)
return -1;
for (;;) {
+ if (ret == LONG_MAX)
+ return -EFBIG; /* Don't let buflen+1 overflow. */
buflen = ret;
buf = malloc(buflen + 1);
if (!buf)
@@ -515,6 +518,8 @@ int keyctl_dh_compute_alloc(key_serial_t priv, key_serial_t prime,
if (ret < 0)
return -1;
+ if (ret == LONG_MAX)
+ return -EFBIG; /* Don't let buflen+1 overflow. */
buflen = ret;
buf = malloc(buflen + 1);
if (!buf)
Powered by blists - more mailing lists