summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavi Arnaut <davi.arnaut@gmail.com>2006-02-03 12:04:46 +0100
committerLinus Torvalds <torvalds@g5.osdl.org>2006-02-03 17:32:10 +0100
commit6d94074f0804143eac6bce72dc04447c0040e7d8 (patch)
tree2833a03682e12d81d4bd849435cd9f95e64e9350 /security
parent[PATCH] edac_mc: Remove include of version.h (diff)
downloadlinux-6d94074f0804143eac6bce72dc04447c0040e7d8.tar.xz
linux-6d94074f0804143eac6bce72dc04447c0040e7d8.zip
[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace could alter the terminating `\0' character. Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com> Cc: David Howells <dhowells@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
-rw-r--r--security/keys/keyctl.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 90db5c76cf6e..0c62798ac7d8 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type,
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* pull the payload in if one was supplied */
@@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type,
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* pull the callout info into kernel space */
@@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type,
callout_info = kmalloc(dlen + 1, GFP_KERNEL);
if (!callout_info)
goto error2;
+ callout_info[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0)
+ if (copy_from_user(callout_info, _callout_info, dlen) != 0)
goto error3;
}
@@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name)
name = kmalloc(nlen + 1, GFP_KERNEL);
if (!name)
goto error;
+ name[nlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(name, _name, nlen + 1) != 0)
+ if (copy_from_user(name, _name, nlen) != 0)
goto error2;
}
@@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid,
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* get the keyring at which to begin the search */