[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.
Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 90db5c7..0c62798 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -67,9 +67,10 @@
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* pull the payload in if one was supplied */
@@ -161,9 +162,10 @@
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* pull the callout info into kernel space */
@@ -182,9 +184,10 @@
callout_info = kmalloc(dlen + 1, GFP_KERNEL);
if (!callout_info)
goto error2;
+ callout_info[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0)
+ if (copy_from_user(callout_info, _callout_info, dlen) != 0)
goto error3;
}
@@ -279,9 +282,10 @@
name = kmalloc(nlen + 1, GFP_KERNEL);
if (!name)
goto error;
+ name[nlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(name, _name, nlen + 1) != 0)
+ if (copy_from_user(name, _name, nlen) != 0)
goto error2;
}
@@ -583,9 +587,10 @@
description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description)
goto error;
+ description[dlen] = '\0';
ret = -EFAULT;
- if (copy_from_user(description, _description, dlen + 1) != 0)
+ if (copy_from_user(description, _description, dlen) != 0)
goto error2;
/* get the keyring at which to begin the search */