Re: [PATCH] KEYS: Don't write out to userspace while holding key semaphore

From: Eric Biggers
Date: Thu Mar 05 2020 - 16:17:24 EST

Next message: Daniel Xu: "[PATCH v2 1/4] kernfs: kvmalloc xattr value instead of kmalloc"
Previous message: Eric W. Biederman: "[PATCH 0/2] Infrastructure to allow fixing exec deadlocks"
In reply to: Waiman Long: "[PATCH] KEYS: Don't write out to userspace while holding key semaphore"
Next in thread: Waiman Long: "Re: [PATCH] KEYS: Don't write out to userspace while holding key semaphore"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 05, 2020 at 04:06:40PM -0500, Waiman Long wrote:
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 9b898c969558..564a4d187329 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -846,14 +846,36 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
> can_read_key:
> ret = -EOPNOTSUPP;
> if (key->type->read) {
> - /* Read the data with the semaphore held (since we might sleep)
> + /*
> + * Read the data with the semaphore held (since we might sleep)
> * to protect against the key being updated or revoked.
> + *
> + * Allocating a temporary buffer to hold the keys before
> + * transferring them to user buffer to avoid potential
> + * deadlock involving page fault and mmap_sem.
> */
> + char *tmpbuf = kmalloc(buflen, GFP_KERNEL);

This is passing an arbitrarily large size from userspace into kmalloc().

- Eric

Next message: Daniel Xu: "[PATCH v2 1/4] kernfs: kvmalloc xattr value instead of kmalloc"
Previous message: Eric W. Biederman: "[PATCH 0/2] Infrastructure to allow fixing exec deadlocks"
In reply to: Waiman Long: "[PATCH] KEYS: Don't write out to userspace while holding key semaphore"
Next in thread: Waiman Long: "Re: [PATCH] KEYS: Don't write out to userspace while holding key semaphore"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]