From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 Oct 2017 09:56:39 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.73~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e228cf183bc2ff11fa757df05800e112466d0466;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
---

diff --git a/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch b/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
new file mode 100644
index 00000000000..33a715bffba
--- /dev/null
+++ b/queue-3.18/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
@@ -0,0 +1,66 @@
+From e645016abc803dafc75e4b8f6e4118f088900ffb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:36:45 -0700
+Subject: KEYS: fix writing past end of user-supplied buffer in keyring_read()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
+
+Userspace can call keyctl_read() on a keyring to get the list of IDs of
+keys in the keyring.  But if the user-supplied buffer is too small, the
+kernel would write the full list anyway --- which will corrupt whatever
+userspace memory happened to be past the end of the buffer.  Fix it by
+only filling the space that is available.
+
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c |   14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -416,7 +416,7 @@ static void keyring_describe(const struc
+ }
+ 
+ struct keyring_read_iterator_context {
+-	size_t			qty;
++	size_t			buflen;
+ 	size_t			count;
+ 	key_serial_t __user	*buffer;
+ };
+@@ -428,9 +428,9 @@ static int keyring_read_iterator(const v
+ 	int ret;
+ 
+ 	kenter("{%s,%d},,{%zu/%zu}",
+-	       key->type->name, key->serial, ctx->count, ctx->qty);
++	       key->type->name, key->serial, ctx->count, ctx->buflen);
+ 
+-	if (ctx->count >= ctx->qty)
++	if (ctx->count >= ctx->buflen)
+ 		return 1;
+ 
+ 	ret = put_user(key->serial, ctx->buffer);
+@@ -465,16 +465,12 @@ static long keyring_read(const struct ke
+ 		return 0;
+ 
+ 	/* Calculate how much data we could return */
+-	ctx.qty = nr_keys * sizeof(key_serial_t);
+-
+ 	if (!buffer || !buflen)
+-		return ctx.qty;
+-
+-	if (buflen > ctx.qty)
+-		ctx.qty = buflen;
++		return nr_keys * sizeof(key_serial_t);
+ 
+ 	/* Copy the IDs of the subscribed keys into the buffer */
+ 	ctx.buffer = (key_serial_t __user *)buffer;
++	ctx.buflen = buflen;
+ 	ctx.count = 0;
+ 	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
+ 	if (ret < 0) {
diff --git a/queue-3.18/series b/queue-3.18/series
index a56c89a5890..e73a2515521 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -6,3 +6,4 @@ tracing-fix-trace_pipe-behavior-for-instance-traces.patch
 tracing-erase-irqsoff-trace-with-empty-write.patch
 scsi-scsi_transport_iscsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
 crypto-talitos-fix-sha224.patch
+keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch