From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Morris <james.l.morris@oracle.com>
Date: Fri, 27 Oct 2017 07:55:39 +0000
Subject: Re: [PATCH] KEYS: trusted: fix writing past end of buffer in trusted_read()
Message-Id: <alpine.LFD.2.20.1710270954210.2635@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
List-Id: <keyrings.vger.kernel.org>
References: <20171026205744.105566-1-ebiggers3@gmail.com>
In-Reply-To: <20171026205744.105566-1-ebiggers3@gmail.com>
To: linux-security-module@vger.kernel.org

On Thu, 26 Oct 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
> 
> When calling keyctl_read() on a key of type "trusted", if the
> user-supplied buffer was too small, the kernel ignored the buffer length
> and just wrote past the end of the buffer, potentially corrupting
> userspace memory.  Fix it by instead returning the size required, as per
> the documentation for keyctl_read().
> 
> We also don't even fill the buffer at all in this case, as this is
> slightly easier to implement than doing a short read, and either
> behavior appears to be permitted.  It also makes it match the behavior
> of the "encrypted" key type.
> 
> Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
> Reported-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: <stable@vger.kernel.org> # v2.6.38+
> Signed-off-by: Eric Biggers <ebiggers@google.com>


Reviewed-by: James Morris <james.l.morris@oracle.com>



-- 
James Morris
<james.l.morris@oracle.com>


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from aserp1040.oracle.com ([141.146.126.69]:47513 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751158AbdJ0H4M (ORCPT
        <rfc822;stable@vger.kernel.org>); Fri, 27 Oct 2017 03:56:12 -0400
Date: Fri, 27 Oct 2017 09:55:39 +0200 (CEST)
From: James Morris <james.l.morris@oracle.com>
To: Eric Biggers <ebiggers3@gmail.com>
cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
        Ben Hutchings <ben@decadent.org.uk>,
        Xiao Yang <yangx.jy@cn.fujitsu.com>,
        David Safford <safford@us.ibm.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: trusted: fix writing past end of buffer in
 trusted_read()
In-Reply-To: <20171026205744.105566-1-ebiggers3@gmail.com>
Message-ID: <alpine.LFD.2.20.1710270954210.2635@localhost>
References: <20171026205744.105566-1-ebiggers3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, 26 Oct 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
> 
> When calling keyctl_read() on a key of type "trusted", if the
> user-supplied buffer was too small, the kernel ignored the buffer length
> and just wrote past the end of the buffer, potentially corrupting
> userspace memory.  Fix it by instead returning the size required, as per
> the documentation for keyctl_read().
> 
> We also don't even fill the buffer at all in this case, as this is
> slightly easier to implement than doing a short read, and either
> behavior appears to be permitted.  It also makes it match the behavior
> of the "encrypted" key type.
> 
> Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
> Reported-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: <stable@vger.kernel.org> # v2.6.38+
> Signed-off-by: Eric Biggers <ebiggers@google.com>


Reviewed-by: James Morris <james.l.morris@oracle.com>



-- 
James Morris
<james.l.morris@oracle.com>

From mboxrd@z Thu Jan  1 00:00:00 1970
From: james.l.morris@oracle.com (James Morris)
Date: Fri, 27 Oct 2017 09:55:39 +0200 (CEST)
Subject: [PATCH] KEYS: trusted: fix writing past end of buffer in
	trusted_read()
In-Reply-To: <20171026205744.105566-1-ebiggers3@gmail.com>
References: <20171026205744.105566-1-ebiggers3@gmail.com>
Message-ID: <alpine.LFD.2.20.1710270954210.2635@localhost>
To: linux-security-module@vger.kernel.org
List-Id: linux-security-module.vger.kernel.org

On Thu, 26 Oct 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
> 
> When calling keyctl_read() on a key of type "trusted", if the
> user-supplied buffer was too small, the kernel ignored the buffer length
> and just wrote past the end of the buffer, potentially corrupting
> userspace memory.  Fix it by instead returning the size required, as per
> the documentation for keyctl_read().
> 
> We also don't even fill the buffer at all in this case, as this is
> slightly easier to implement than doing a short read, and either
> behavior appears to be permitted.  It also makes it match the behavior
> of the "encrypted" key type.
> 
> Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
> Reported-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: <stable@vger.kernel.org> # v2.6.38+
> Signed-off-by: Eric Biggers <ebiggers@google.com>


Reviewed-by: James Morris <james.l.morris@oracle.com>



-- 
James Morris
<james.l.morris@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html