Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161004AbWBHGur (ORCPT ); Wed, 8 Feb 2006 01:50:47 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1161014AbWBHGuq (ORCPT ); Wed, 8 Feb 2006 01:50:46 -0500 Received: from 216-99-217-87.dsl.aracnet.com ([216.99.217.87]:65408 "EHLO sorel.sous-sol.org") by vger.kernel.org with ESMTP id S1161004AbWBHGmk (ORCPT ); Wed, 8 Feb 2006 01:42:40 -0500 Message-Id: <20060208064905.310066000@sorel.sous-sol.org> References: <20060208064503.924238000@sorel.sous-sol.org> Date: Tue, 07 Feb 2006 22:45:16 -0800 From: Chris Wright To: linux-kernel@vger.kernel.org, stable@kernel.org, torvalds@osdl.org Cc: Justin Forbes , Zwane Mwaikambo , "Theodore Ts'o" , Randy Dunlap , Dave Jones , Chuck Wolber , akpm@osdl.org, alan@lxorguk.ukuu.org.uk, dhowells@redhat.com, davi.arnaut@gmail.com Subject: [PATCH 13/23] Fix keyctl usage of strnlen_user() Content-Disposition: inline; filename=fix-keyctl-usage-of-strnlen_user.patch Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2771 Lines: 87 -stable review patch. If anyone has any objections, please let us know. ------------------ In the small window between strnlen_user() and copy_from_user() userspace could alter the terminating `\0' character. Signed-off-by: Davi Arnaut Cc: David Howells Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright --- security/keys/keyctl.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) Index: linux-2.6.15.3/security/keys/keyctl.c =================================================================== --- linux-2.6.15.3.orig/security/keys/keyctl.c +++ linux-2.6.15.3/security/keys/keyctl.c @@ -66,9 +66,10 @@ asmlinkage long sys_add_key(const char _ description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the payload in if one was supplied */ @@ -160,9 +161,10 @@ asmlinkage long sys_request_key(const ch description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the callout info into kernel space */ @@ -181,9 +183,10 @@ asmlinkage long sys_request_key(const ch callout_info = kmalloc(dlen + 1, GFP_KERNEL); if (!callout_info) goto error2; + callout_info[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) + if (copy_from_user(callout_info, _callout_info, dlen) != 0) goto error3; } @@ -278,9 +281,10 @@ long keyctl_join_session_keyring(const c name = kmalloc(nlen + 1, GFP_KERNEL); if (!name) goto error; + name[nlen] = '\0'; ret = -EFAULT; - if (copy_from_user(name, _name, nlen + 1) != 0) + if (copy_from_user(name, _name, nlen) != 0) goto error2; } @@ -582,9 +586,10 @@ long keyctl_keyring_search(key_serial_t description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* get the keyring at which to begin the search */ -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/