diff options
| author | Eric Biggers <ebiggers@google.com> | 2019-01-10 12:31:16 -0800 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2019-01-16 15:25:50 +0000 |
| commit | 34ce58d90d49049eabe32c34e5ea28b924175168 (patch) | |
| tree | feb319983df51d8fb73d02f348aefedb208c5c21 | |
| parent | bc7e65c93ef9178c214aad4e13216a16673319b5 (diff) | |
| download | keyutils-34ce58d90d49049eabe32c34e5ea28b924175168.tar.gz | |
keyctl: use keyctl_read_alloc() in dump_key_tree_aux()
dump_key_tree_aux() (part of 'keyctl show') was racy: it allocated a
buffer for the keyring contents, then read the keyring. But it's
possible that keys are added to the keyring concurrently. This is
problematic for two reasons. First, when keyctl_read() is passed a
buffer that is too small, it is unspecified whether it is filled or not.
Second, even if the buffer is filled, some keys (not necessarily even
the newest ones) would be omitted from the listing.
Switch to keyctl_read_alloc() which handles the "buffer too small" case
correctly by retrying the read.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
| -rw-r--r-- | keyctl.c | 23 |
1 files changed, 6 insertions, 17 deletions
@@ -2231,29 +2231,17 @@ static int dump_key_tree_aux(key_serial_t key, int depth, int more, int hex_key_ /* if it's a keyring then we're going to want to recursively * display it if we can */ if (strcmp(type, "keyring") == 0) { - /* find out how big the keyring is */ - ret = keyctl_read(key, NULL, 0); - if (ret < 0) - error("keyctl_read"); - if (ret == 0) - return 0; - ringlen = ret; - /* read its contents */ - payload = malloc(ringlen); - if (!payload) - error("malloc"); - - ret = keyctl_read(key, payload, ringlen); + ret = keyctl_read_alloc(key, &payload); if (ret < 0) - error("keyctl_read"); + error("keyctl_read_alloc"); - ringlen = ret < ringlen ? ret : ringlen; + ringlen = ret; kcount = ringlen / sizeof(key_serial_t); /* walk the keyring */ pk = payload; - do { + while (ringlen >= sizeof(key_serial_t)) { key = *pk++; /* recurse into next keyrings */ @@ -2281,7 +2269,8 @@ static int dump_key_tree_aux(key_serial_t key, int depth, int more, int hex_key_ hex_key_IDs); } - } while (ringlen -= 4, ringlen >= sizeof(key_serial_t)); + ringlen -= sizeof(key_serial_t); + } free(payload); } |