/[linux-patches]/genpatches-2.6/trunk/2.6.14/1425_15.4_keyctl-strlen.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1425_15.4_keyctl-strlen.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 328 - (show annotations) (download) (as text)
Tue Mar 14 13:34:17 2006 UTC (14 years, 8 months ago) by johnm
File MIME type: text/x-diff
File size: 2727 byte(s)
2.6.14-11, rebase against local tree
1 From stable-bounces@linux.kernel.org Fri Feb 3 03:11:51 2006
2 Date: Fri, 03 Feb 2006 03:04:46 -0800
3 From: akpm@osdl.org
4 To: torvalds@osdl.org
5 Cc: dhowells@redhat.com, stable@kernel.org, davi.arnaut@gmail.com
6 Subject: Fix keyctl usage of strnlen_user()
7
8 From: Davi Arnaut <davi.arnaut@gmail.com>
9
10 In the small window between strnlen_user() and copy_from_user() userspace
11 could alter the terminating `\0' character.
12
13 Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
14 Cc: David Howells <dhowells@redhat.com>
15 Cc: <stable@kernel.org>
16 Signed-off-by: Andrew Morton <akpm@osdl.org>
17 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
18 ---
19
20 security/keys/keyctl.c | 15 ++++++++++-----
21 1 files changed, 10 insertions(+), 5 deletions(-)
22
23 Index: linux-2.6.15.2/security/keys/keyctl.c
24 ===================================================================
25 --- linux-2.6.15.2.orig/security/keys/keyctl.c
26 +++ linux-2.6.15.2/security/keys/keyctl.c
27 @@ -66,9 +66,10 @@ asmlinkage long sys_add_key(const char _
28 description = kmalloc(dlen + 1, GFP_KERNEL);
29 if (!description)
30 goto error;
31 + description[dlen] = '\0';
32
33 ret = -EFAULT;
34 - if (copy_from_user(description, _description, dlen + 1) != 0)
35 + if (copy_from_user(description, _description, dlen) != 0)
36 goto error2;
37
38 /* pull the payload in if one was supplied */
39 @@ -160,9 +161,10 @@ asmlinkage long sys_request_key(const ch
40 description = kmalloc(dlen + 1, GFP_KERNEL);
41 if (!description)
42 goto error;
43 + description[dlen] = '\0';
44
45 ret = -EFAULT;
46 - if (copy_from_user(description, _description, dlen + 1) != 0)
47 + if (copy_from_user(description, _description, dlen) != 0)
48 goto error2;
49
50 /* pull the callout info into kernel space */
51 @@ -181,9 +183,10 @@ asmlinkage long sys_request_key(const ch
52 callout_info = kmalloc(dlen + 1, GFP_KERNEL);
53 if (!callout_info)
54 goto error2;
55 + callout_info[dlen] = '\0';
56
57 ret = -EFAULT;
58 - if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0)
59 + if (copy_from_user(callout_info, _callout_info, dlen) != 0)
60 goto error3;
61 }
62
63 @@ -278,9 +281,10 @@ long keyctl_join_session_keyring(const c
64 name = kmalloc(nlen + 1, GFP_KERNEL);
65 if (!name)
66 goto error;
67 + name[nlen] = '\0';
68
69 ret = -EFAULT;
70 - if (copy_from_user(name, _name, nlen + 1) != 0)
71 + if (copy_from_user(name, _name, nlen) != 0)
72 goto error2;
73 }
74
75 @@ -582,9 +586,10 @@ long keyctl_keyring_search(key_serial_t
76 description = kmalloc(dlen + 1, GFP_KERNEL);
77 if (!description)
78 goto error;
79 + description[dlen] = '\0';
80
81 ret = -EFAULT;
82 - if (copy_from_user(description, _description, dlen + 1) != 0)
83 + if (copy_from_user(description, _description, dlen) != 0)
84 goto error2;
85
86 /* get the keyring at which to begin the search */

  ViewVC Help
Powered by ViewVC 1.1.20