On Fri, Nov 10, 2017 at 11:28:51AM -0800, Eric Biggers wrote:
> commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.
> [Please apply to 3.18-stable.]
>
> When calling keyctl_read() on a key of type "trusted", if the
> user-supplied buffer was too small, the kernel ignored the buffer length
> and just wrote past the end of the buffer, potentially corrupting
> userspace memory. Fix it by instead returning the size required, as per
> the documentation for keyctl_read().
>
> We also don't even fill the buffer at all in this case, as this is
> slightly easier to implement than doing a short read, and either
> behavior appears to be permitted. It also makes it match the behavior
> of the "encrypted" key type.
>
> Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
> Reported-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v2.6.38+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Reviewed-by: James Morris <james.l.morris@xxxxxxxxxx>
> Signed-off-by: James Morris <james.l.morris@xxxxxxxxxx>
> ---
> security/keys/trusted.c | 23 ++++++++++++-----------
> 1 file changed, 12 insertions(+), 11 deletions(-)
Thanks for both of these, now queued up.
greg k-h