diff options
author | Davi Arnaut <davi.arnaut@gmail.com> | 2006-02-03 03:04:46 -0800 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-02-09 23:20:11 -0800 |
commit | 330d460744b92d00d5114079fcfc8e547d7ac143 (patch) | |
tree | 6728a9e229e747b45b473aee2aa56c7f62245cab /security | |
parent | 7c32e5eb497d0b52a858d0ac78fe97c7515ff512 (diff) |
[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.
Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/keyctl.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index b7a468fabdf9..337bc123923d 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -66,9 +66,10 @@ asmlinkage long sys_add_key(const char __user *_type, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the payload in if one was supplied */ @@ -160,9 +161,10 @@ asmlinkage long sys_request_key(const char __user *_type, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the callout info into kernel space */ @@ -181,9 +183,10 @@ asmlinkage long sys_request_key(const char __user *_type, callout_info = kmalloc(dlen + 1, GFP_KERNEL); if (!callout_info) goto error2; + callout_info[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) + if (copy_from_user(callout_info, _callout_info, dlen) != 0) goto error3; } @@ -278,9 +281,10 @@ long keyctl_join_session_keyring(const char __user *_name) name = kmalloc(nlen + 1, GFP_KERNEL); if (!name) goto error; + name[nlen] = '\0'; ret = -EFAULT; - if (copy_from_user(name, _name, nlen + 1) != 0) + if (copy_from_user(name, _name, nlen) != 0) goto error2; } @@ -582,9 +586,10 @@ long keyctl_keyring_search(key_serial_t ringid, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* get the keyring at which to begin the search */ |