[PATCH] Fix keyctl usage of strnlen_user()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.

Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

Davi Arnaut and committed by

Linus Torvalds 20 years ago 6d94074f 353368df

+10 -5

1 changed file

expand all

security

keys

keyctl.c

+10 -5

security/keys/keyctl.c

··· 67 67 description = kmalloc(dlen + 1, GFP_KERNEL); 68 68 if (!description) 69 69 goto error; 70 + description[dlen] = '\0'; 70 71 71 72 ret = -EFAULT; 72 - if (copy_from_user(description, _description, dlen + 1) != 0) 73 + if (copy_from_user(description, _description, dlen) != 0) 73 74 goto error2; 74 75 75 76 /* pull the payload in if one was supplied */ ··· 162 161 description = kmalloc(dlen + 1, GFP_KERNEL); 163 162 if (!description) 164 163 goto error; 164 + description[dlen] = '\0'; 165 165 166 166 ret = -EFAULT; 167 - if (copy_from_user(description, _description, dlen + 1) != 0) 167 + if (copy_from_user(description, _description, dlen) != 0) 168 168 goto error2; 169 169 170 170 /* pull the callout info into kernel space */ ··· 184 182 callout_info = kmalloc(dlen + 1, GFP_KERNEL); 185 183 if (!callout_info) 186 184 goto error2; 185 + callout_info[dlen] = '\0'; 187 186 188 187 ret = -EFAULT; 189 - if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) 188 + if (copy_from_user(callout_info, _callout_info, dlen) != 0) 190 189 goto error3; 191 190 } 192 191 ··· 282 279 name = kmalloc(nlen + 1, GFP_KERNEL); 283 280 if (!name) 284 281 goto error; 282 + name[nlen] = '\0'; 285 283 286 284 ret = -EFAULT; 287 - if (copy_from_user(name, _name, nlen + 1) != 0) 285 + if (copy_from_user(name, _name, nlen) != 0) 288 286 goto error2; 289 287 } 290 288 ··· 587 583 description = kmalloc(dlen + 1, GFP_KERNEL); 588 584 if (!description) 589 585 goto error; 586 + description[dlen] = '\0'; 590 587 591 588 ret = -EFAULT; 592 - if (copy_from_user(description, _description, dlen + 1) != 0) 589 + if (copy_from_user(description, _description, dlen) != 0) 593 590 goto error2; 594 591 595 592 /* get the keyring at which to begin the search */