3.18-stable patches

added patches:
	keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch

diff --git a/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch b/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
new file mode 100644 (file)
index 0000000..33a715b
--- /dev/null
+++ b/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
@@ -0,0 +1,66 @@
+From e645016abc803dafc75e4b8f6e4118f088900ffb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:36:45 -0700
+Subject: KEYS: fix writing past end of user-supplied buffer in keyring_read()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
+
+Userspace can call keyctl_read() on a keyring to get the list of IDs of
+keys in the keyring.  But if the user-supplied buffer is too small, the
+kernel would write the full list anyway --- which will corrupt whatever
+userspace memory happened to be past the end of the buffer.  Fix it by
+only filling the space that is available.
+
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c |   14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -416,7 +416,7 @@ static void keyring_describe(const struc
+ }
+ 
+ struct keyring_read_iterator_context {
+-      size_t                  qty;
++      size_t                  buflen;
+       size_t                  count;
+       key_serial_t __user     *buffer;
+ };
+@@ -428,9 +428,9 @@ static int keyring_read_iterator(const v
+       int ret;
+ 
+       kenter("{%s,%d},,{%zu/%zu}",
+-             key->type->name, key->serial, ctx->count, ctx->qty);
++             key->type->name, key->serial, ctx->count, ctx->buflen);
+ 
+-      if (ctx->count >= ctx->qty)
++      if (ctx->count >= ctx->buflen)
+               return 1;
+ 
+       ret = put_user(key->serial, ctx->buffer);
+@@ -465,16 +465,12 @@ static long keyring_read(const struct ke
+               return 0;
+ 
+       /* Calculate how much data we could return */
+-      ctx.qty = nr_keys * sizeof(key_serial_t);
+-
+       if (!buffer || !buflen)
+-              return ctx.qty;
+-
+-      if (buflen > ctx.qty)
+-              ctx.qty = buflen;
++              return nr_keys * sizeof(key_serial_t);
+ 
+       /* Copy the IDs of the subscribed keys into the buffer */
+       ctx.buffer = (key_serial_t __user *)buffer;
++      ctx.buflen = buflen;
+       ctx.count = 0;
+       ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
+       if (ret < 0) {

diff --git a/queue-3.18/series b/queue-3.18/series
index a56c89a58900d99be6742046213e096103cfecb3..e73a251552134028fe2544b0ea23cd9e3e8059c8 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -6,3 +6,4 @@ tracing-fix-trace_pipe-behavior-for-instance-traces.patch
 tracing-erase-irqsoff-trace-with-empty-write.patch
 scsi-scsi_transport_iscsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
 crypto-talitos-fix-sha224.patch
+keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch