On Thu, 26 Oct 2017, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
> in keyring_read()") made keyring_read() stop corrupting userspace memory
> when the user-supplied buffer is too small. However it also made the
> return value in that case be the short buffer size rather than the size
> required, yet keyctl_read() is actually documented to return the size
> required. Therefore, switch it over to the documented behavior.
>
> Note that for now we continue to have it fill the short buffer, since it
> did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
> relies on it.
>
> Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
> Reported-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v3.13+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Reviewed-by: James Morris <james.l.morris@xxxxxxxxxx>
--
James Morris
<james.l.morris@xxxxxxxxxx>