From a0d297b35b3f43beca17495f715c2d20deab2392 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 Oct 2017 11:57:13 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
---
 ...user-supplied-buffer-in-keyring_read.patch | 66 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 queue-4.4/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch

diff --git a/queue-4.4/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch b/queue-4.4/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
new file mode 100644
index 00000000000..33a715bffba
--- /dev/null
+++ b/queue-4.4/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
@@ -0,0 +1,66 @@
+From e645016abc803dafc75e4b8f6e4118f088900ffb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:36:45 -0700
+Subject: KEYS: fix writing past end of user-supplied buffer in keyring_read()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
+
+Userspace can call keyctl_read() on a keyring to get the list of IDs of
+keys in the keyring.  But if the user-supplied buffer is too small, the
+kernel would write the full list anyway --- which will corrupt whatever
+userspace memory happened to be past the end of the buffer.  Fix it by
+only filling the space that is available.
+
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c |   14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -416,7 +416,7 @@ static void keyring_describe(const struc
+ }
+ 
+ struct keyring_read_iterator_context {
+-	size_t			qty;
++	size_t			buflen;
+ 	size_t			count;
+ 	key_serial_t __user	*buffer;
+ };
+@@ -428,9 +428,9 @@ static int keyring_read_iterator(const v
+ 	int ret;
+ 
+ 	kenter("{%s,%d},,{%zu/%zu}",
+-	       key->type->name, key->serial, ctx->count, ctx->qty);
++	       key->type->name, key->serial, ctx->count, ctx->buflen);
+ 
+-	if (ctx->count >= ctx->qty)
++	if (ctx->count >= ctx->buflen)
+ 		return 1;
+ 
+ 	ret = put_user(key->serial, ctx->buffer);
+@@ -465,16 +465,12 @@ static long keyring_read(const struct ke
+ 		return 0;
+ 
+ 	/* Calculate how much data we could return */
+-	ctx.qty = nr_keys * sizeof(key_serial_t);
+-
+ 	if (!buffer || !buflen)
+-		return ctx.qty;
+-
+-	if (buflen > ctx.qty)
+-		ctx.qty = buflen;
++		return nr_keys * sizeof(key_serial_t);
+ 
+ 	/* Copy the IDs of the subscribed keys into the buffer */
+ 	ctx.buffer = (key_serial_t __user *)buffer;
++	ctx.buflen = buflen;
+ 	ctx.count = 0;
+ 	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
+ 	if (ret < 0) {
diff --git a/queue-4.4/series b/queue-4.4/series
index 985397e53ed..0c590351b9c 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -8,3 +8,4 @@ md-raid5-preserve-stripe_on_unplug_list-in-break_stripe_batch_list.patch
 scsi-scsi_transport_iscsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
 crypto-talitos-don-t-provide-setkey-for-non-hmac-hashing-algs.patch
 crypto-talitos-fix-sha224.patch
+keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
-- 
2.47.3