aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavi Arnaut <davi.arnaut@gmail.com>2006-02-03 06:04:46 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-02-03 11:32:10 -0500
commit6d94074f0804143eac6bce72dc04447c0040e7d8 (patch)
tree2833a03682e12d81d4bd849435cd9f95e64e9350
parent353368dffb56b066cbe00264581a56caf0241b29 (diff)
[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace could alter the terminating `\0' character. Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com> Cc: David Howells <dhowells@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat
-rw-r--r--security/keys/keyctl.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 90db5c76cf6e..0c62798ac7d8 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type,
67 description = kmalloc(dlen + 1, GFP_KERNEL); 67 description = kmalloc(dlen + 1, GFP_KERNEL);
68 if (!description) 68 if (!description)
69 goto error; 69 goto error;
70 description[dlen] = '\0';
70 71
71 ret = -EFAULT; 72 ret = -EFAULT;
72 if (copy_from_user(description, _description, dlen + 1) != 0) 73 if (copy_from_user(description, _description, dlen) != 0)
73 goto error2; 74 goto error2;
74 75
75 /* pull the payload in if one was supplied */ 76 /* pull the payload in if one was supplied */
@@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type,
161 description = kmalloc(dlen + 1, GFP_KERNEL); 162 description = kmalloc(dlen + 1, GFP_KERNEL);
162 if (!description) 163 if (!description)
163 goto error; 164 goto error;
165 description[dlen] = '\0';
164 166
165 ret = -EFAULT; 167 ret = -EFAULT;
166 if (copy_from_user(description, _description, dlen + 1) != 0) 168 if (copy_from_user(description, _description, dlen) != 0)
167 goto error2; 169 goto error2;
168 170
169 /* pull the callout info into kernel space */ 171 /* pull the callout info into kernel space */
@@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type,
182 callout_info = kmalloc(dlen + 1, GFP_KERNEL); 184 callout_info = kmalloc(dlen + 1, GFP_KERNEL);
183 if (!callout_info) 185 if (!callout_info)
184 goto error2; 186 goto error2;
187 callout_info[dlen] = '\0';
185 188
186 ret = -EFAULT; 189 ret = -EFAULT;
187 if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) 190 if (copy_from_user(callout_info, _callout_info, dlen) != 0)
188 goto error3; 191 goto error3;
189 } 192 }
190 193
@@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name)
279 name = kmalloc(nlen + 1, GFP_KERNEL); 282 name = kmalloc(nlen + 1, GFP_KERNEL);
280 if (!name) 283 if (!name)
281 goto error; 284 goto error;
285 name[nlen] = '\0';
282 286
283 ret = -EFAULT; 287 ret = -EFAULT;
284 if (copy_from_user(name, _name, nlen + 1) != 0) 288 if (copy_from_user(name, _name, nlen) != 0)
285 goto error2; 289 goto error2;
286 } 290 }
287 291
@@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid,
583 description = kmalloc(dlen + 1, GFP_KERNEL); 587 description = kmalloc(dlen + 1, GFP_KERNEL);
584 if (!description) 588 if (!description)
585 goto error; 589 goto error;
590 description[dlen] = '\0';
586 591
587 ret = -EFAULT; 592 ret = -EFAULT;
588 if (copy_from_user(description, _description, dlen + 1) != 0) 593 if (copy_from_user(description, _description, dlen) != 0)
589 goto error2; 594 goto error2;
590 595
591 /* get the keyring at which to begin the search */ 596 /* get the keyring at which to begin the search */
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-11 10:45:02 -0500