On 3/5/20 4:16 PM, Eric Biggers wrote:
> On Thu, Mar 05, 2020 at 04:06:40PM -0500, Waiman Long wrote:
>> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
>> index 9b898c969558..564a4d187329 100644
>> --- a/security/keys/keyctl.c
>> +++ b/security/keys/keyctl.c
>> @@ -846,14 +846,36 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
>> can_read_key:
>> ret = -EOPNOTSUPP;
>> if (key->type->read) {
>> - /* Read the data with the semaphore held (since we might sleep)
>> + /*
>> + * Read the data with the semaphore held (since we might sleep)
>> * to protect against the key being updated or revoked.
>> + *
>> + * Allocating a temporary buffer to hold the keys before
>> + * transferring them to user buffer to avoid potential
>> + * deadlock involving page fault and mmap_sem.
>> */
>> + char *tmpbuf = kmalloc(buflen, GFP_KERNEL);
> This is passing an arbitrarily large size from userspace into kmalloc().
>
> - Eric
>
That is true. Is there a limit of how much key data are expected to be
returned from the kernel? We could set an internal limit here on how
large the buffer can be.
Cheers,
Longman
