KEYS: fix writing past end of user-supplied buffer in keyring_read()
authorEric Biggers <ebiggers@google.com>
Mon, 18 Sep 2017 18:36:45 +0000 (11:36 -0700)
committerDavid Howells <dhowells@redhat.com>
Mon, 25 Sep 2017 14:19:57 +0000 (15:19 +0100)
commite645016abc803dafc75e4b8f6e4118f088900ffb
tree93714c8259d9bb33ae016a8dcf9239e77af00d81
parent7fc0786d956d9e59b68d282be9b156179846ea3d
KEYS: fix writing past end of user-supplied buffer in keyring_read()

Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring.  But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer.  Fix it by
only filling the space that is available.

Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Cc: <stable@vger.kernel.org> [v3.13+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
security/keys/keyring.c