KEYS: fix writing past end of user-supplied buffer in keyring_read() - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Eric Biggers <ebiggers@google.com>	2017-09-18 11:36:45 -0700
committer	David Howells <dhowells@redhat.com>	2017-09-25 15:19:57 +0100
commit	e645016abc803dafc75e4b8f6e4118f088900ffb (patch)
tree	93714c8259d9bb33ae016a8dcf9239e77af00d81 /lib/audit.c
parent	7fc0786d956d9e59b68d282be9b156179846ea3d (diff)
download	linux-e645016abc803dafc75e4b8f6e4118f088900ffb.tar.bz2

KEYS: fix writing past end of user-supplied buffer in keyring_read()

Userspace can call keyctl_read() on a keyring to get the list of IDs of keys in the keyring. But if the user-supplied buffer is too small, the kernel would write the full list anyway --- which will corrupt whatever userspace memory happened to be past the end of the buffer. Fix it by only filling the space that is available. Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Cc: <stable@vger.kernel.org> [v3.13+] Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com>

Diffstat (limited to 'lib/audit.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: