[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace could alter the terminating `\0' character. Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com> Cc: David Howells <dhowells@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
353368dffb
commit
6d94074f08
@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type,
|
|||||||
description = kmalloc(dlen + 1, GFP_KERNEL);
|
description = kmalloc(dlen + 1, GFP_KERNEL);
|
||||||
if (!description)
|
if (!description)
|
||||||
goto error;
|
goto error;
|
||||||
|
description[dlen] = '\0';
|
||||||
|
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
if (copy_from_user(description, _description, dlen + 1) != 0)
|
if (copy_from_user(description, _description, dlen) != 0)
|
||||||
goto error2;
|
goto error2;
|
||||||
|
|
||||||
/* pull the payload in if one was supplied */
|
/* pull the payload in if one was supplied */
|
||||||
@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type,
|
|||||||
description = kmalloc(dlen + 1, GFP_KERNEL);
|
description = kmalloc(dlen + 1, GFP_KERNEL);
|
||||||
if (!description)
|
if (!description)
|
||||||
goto error;
|
goto error;
|
||||||
|
description[dlen] = '\0';
|
||||||
|
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
if (copy_from_user(description, _description, dlen + 1) != 0)
|
if (copy_from_user(description, _description, dlen) != 0)
|
||||||
goto error2;
|
goto error2;
|
||||||
|
|
||||||
/* pull the callout info into kernel space */
|
/* pull the callout info into kernel space */
|
||||||
@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type,
|
|||||||
callout_info = kmalloc(dlen + 1, GFP_KERNEL);
|
callout_info = kmalloc(dlen + 1, GFP_KERNEL);
|
||||||
if (!callout_info)
|
if (!callout_info)
|
||||||
goto error2;
|
goto error2;
|
||||||
|
callout_info[dlen] = '\0';
|
||||||
|
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0)
|
if (copy_from_user(callout_info, _callout_info, dlen) != 0)
|
||||||
goto error3;
|
goto error3;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name)
|
|||||||
name = kmalloc(nlen + 1, GFP_KERNEL);
|
name = kmalloc(nlen + 1, GFP_KERNEL);
|
||||||
if (!name)
|
if (!name)
|
||||||
goto error;
|
goto error;
|
||||||
|
name[nlen] = '\0';
|
||||||
|
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
if (copy_from_user(name, _name, nlen + 1) != 0)
|
if (copy_from_user(name, _name, nlen) != 0)
|
||||||
goto error2;
|
goto error2;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid,
|
|||||||
description = kmalloc(dlen + 1, GFP_KERNEL);
|
description = kmalloc(dlen + 1, GFP_KERNEL);
|
||||||
if (!description)
|
if (!description)
|
||||||
goto error;
|
goto error;
|
||||||
|
description[dlen] = '\0';
|
||||||
|
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
if (copy_from_user(description, _description, dlen + 1) != 0)
|
if (copy_from_user(description, _description, dlen) != 0)
|
||||||
goto error2;
|
goto error2;
|
||||||
|
|
||||||
/* get the keyring at which to begin the search */
|
/* get the keyring at which to begin the search */
|
||||||
|
Loading…
Reference in New Issue
Block a user