Skip to content

L
linux

Linux-御风守护者 / linux
与 Fork 源项目一致

从无法访问的项目Fork

通知 1
Star 0
Fork 0
L
linux

体验新版 GitCode,发现更多精彩内容 >>

提交 6d94074f 编写于 作者: D Davi Arnaut 提交者: Linus Torvalds
浏览文件
操作

[PATCH] Fix keyctl usage of strnlen_user() 

In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.
Signed-off-by: NDavi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 353368df
隐藏空白更改
内联 并排
Showing with 10 addition and 5 deletion
security/keys/keyctl.c
浏览文件 @ 6d94074f
...@@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type, ...@@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type,
description = kmalloc(dlen + 1, GFP_KERNEL); description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description) if (!description)
goto error; goto error;
description[dlen] = '\0';
ret = -EFAULT; ret = -EFAULT;
if (copy_from_user(description, _description, dlen + 1) != 0) if (copy_from_user(description, _description, dlen) != 0)
goto error2; goto error2;
/* pull the payload in if one was supplied */ /* pull the payload in if one was supplied */
...@@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type, ...@@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type,
description = kmalloc(dlen + 1, GFP_KERNEL); description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description) if (!description)
goto error; goto error;
description[dlen] = '\0';
ret = -EFAULT; ret = -EFAULT;
if (copy_from_user(description, _description, dlen + 1) != 0) if (copy_from_user(description, _description, dlen) != 0)
goto error2; goto error2;
/* pull the callout info into kernel space */ /* pull the callout info into kernel space */
...@@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type, ...@@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type,
callout_info = kmalloc(dlen + 1, GFP_KERNEL); callout_info = kmalloc(dlen + 1, GFP_KERNEL);
if (!callout_info) if (!callout_info)
goto error2; goto error2;
callout_info[dlen] = '\0';
ret = -EFAULT; ret = -EFAULT;
if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) if (copy_from_user(callout_info, _callout_info, dlen) != 0)
goto error3; goto error3;
} }
...@@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name) ...@@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name)
name = kmalloc(nlen + 1, GFP_KERNEL); name = kmalloc(nlen + 1, GFP_KERNEL);
if (!name) if (!name)
goto error; goto error;
name[nlen] = '\0';
ret = -EFAULT; ret = -EFAULT;
if (copy_from_user(name, _name, nlen + 1) != 0) if (copy_from_user(name, _name, nlen) != 0)
goto error2; goto error2;
} }
...@@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid, ...@@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid,
description = kmalloc(dlen + 1, GFP_KERNEL); description = kmalloc(dlen + 1, GFP_KERNEL);
if (!description) if (!description)
goto error; goto error;
description[dlen] = '\0';
ret = -EFAULT; ret = -EFAULT;
if (copy_from_user(description, _description, dlen + 1) != 0) if (copy_from_user(description, _description, dlen) != 0)
goto error2; goto error2;
/* get the keyring at which to begin the search */ /* get the keyring at which to begin the search */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册