[PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct user_key_payload

[PATCH 00/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
[PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-04
Re: [PATCH 01/32] netlink: Avoid memcpy() across flexible array boundary · Kees Cook <hidden> · 2022-05-04
[PATCH 04/32] fortify: Add run-time WARN for cross-field memcpy() · Kees Cook <hidden> · 2022-05-04
[PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-04
RE: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · David Laight <hidden> · 2022-05-04
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Keith Packard <keithp@keithp.com> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Keith Packard <keithp@keithp.com> · 2022-05-05
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Johannes Berg <johannes@sipsolutions.net> · 2022-05-05
RE: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · David Laight <hidden> · 2022-05-06
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers · Kees Cook <hidden> · 2022-05-05
[PATCH 05/32] brcmfmac: Use mem_to_flex_dup() with struct brcmf_fweh_queue_item · Kees Cook <hidden> · 2022-05-04
[PATCH 10/32] wcn36xx: Use mem_to_flex_dup() with struct wcn36xx_hal_ind_msg · Kees Cook <hidden> · 2022-05-04
[PATCH 14/32] af_unix: Use mem_to_flex_dup() with struct unix_address · Kees Cook <hidden> · 2022-05-04
[PATCH 11/32] nl80211: Use mem_to_flex_dup() with struct cfg80211_cqm_config · Kees Cook <hidden> · 2022-05-04
[PATCH 08/32] iwlwifi: mvm: Use mem_to_flex_dup() with struct ieee80211_key_conf · Kees Cook <hidden> · 2022-05-04
[PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Johannes Berg <johannes@sipsolutions.net> · 2022-05-04
Re: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies · Kees Cook <hidden> · 2022-05-04
[PATCH 06/32] iwlwifi: calib: Prepare to use mem_to_flex_dup() · Kees Cook <hidden> · 2022-05-04
[PATCH 07/32] iwlwifi: calib: Use mem_to_flex_dup() with struct iwl_calib_result · Kees Cook <hidden> · 2022-05-04
[PATCH 25/32] Drivers: hv: utils: Use mem_to_flex_dup() with struct cn_msg · Kees Cook <hidden> · 2022-05-04
[PATCH 26/32] ima: Use mem_to_flex_dup() with struct modsig · Kees Cook <hidden> · 2022-05-04
[PATCH 23/32] Bluetooth: Use mem_to_flex_dup() with struct hci_op_configure_data_path · Kees Cook <hidden> · 2022-05-04
[PATCH 21/32] soc: qcom: apr: Use mem_to_flex_dup() with struct apr_rx_buf · Kees Cook <hidden> · 2022-05-04
[PATCH 16/32] 802/mrp: Use mem_to_flex_dup() with struct mrp_attr · Kees Cook <hidden> · 2022-05-04
[PATCH 03/32] flex_array: Add Kunit tests · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · David Gow <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 03/32] flex_array: Add Kunit tests · Daniel Latypov <hidden> · 2022-05-04
[PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · David Howells <dhowells@redhat.com> · 2022-05-12
Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl · Kees Cook <hidden> · 2022-05-13
[PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 29/32] xtensa: Use mem_to_flex_dup() with struct property · Rob Herring <robh@kernel.org> · 2022-05-04
[PATCH 15/32] 802/garp: Use mem_to_flex_dup() with struct garp_attr · Kees Cook <hidden> · 2022-05-04
[PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 20/32] ASoC: sigmadsp: Use mem_to_flex_dup() with struct sigmadsp_data · Mark Brown <broonie@kernel.org> · 2022-05-04
[PATCH 18/32] firewire: Use __mem_to_flex_dup() with struct iso_interrupt_event · Kees Cook <hidden> · 2022-05-04
[PATCH 09/32] p54: Use mem_to_flex_dup() with struct p54_cal_database · Kees Cook <hidden> · 2022-05-04
[PATCH 17/32] net/flow_offload: Use mem_to_flex_dup() with struct flow_action_cookie · Kees Cook <hidden> · 2022-05-04
[PATCH 13/32] mac80211: Use mem_to_flex_dup() with several structs · Kees Cook <hidden> · 2022-05-04
[PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-04
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Kees Cook <hidden> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · Paul Moore <paul@paul-moore.com> · 2022-05-05
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab · "Gustavo A. R. Silva" <gustavoars@kernel.org> · 2022-05-06
[PATCH 22/32] atags_proc: Use mem_to_flex_dup() with struct buffer · Kees Cook <hidden> · 2022-05-04
[PATCH 32/32] esas2r: Use __mem_to_flex() with struct atto_ioctl · Kees Cook <hidden> · 2022-05-04
[PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node · Kees Cook <hidden> · 2022-05-04
[PATCH 27/32] KEYS: Use mem_to_flex_dup() with struct user_key_payload · Kees Cook <hidden> · 2022-05-04
[PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct ffs_buffer · Kees Cook <hidden> · 2022-05-04
[PATCH 31/32] xenbus: Use mem_to_flex_dup() with struct read_buffer · Kees Cook <hidden> · 2022-05-04
Re: [PATCH 00/32] Introduce flexible array struct memcpy() helpers · David Howells <dhowells@redhat.com> · 2022-05-12

STALE1492d

From: Kees Cook <hidden>
Date: 2022-05-04 01:58:56
Also in: keyrings, linux-arm-msm, linux-bluetooth, linux-devicetree, linux-hardening, linux-hyperv, linux-integrity, linux-rdma, linux-scsi, linux-security-module, linux-usb, linux-wireless, llvm, selinux, xen-devel
Subsystem: keys/keyrings, security subsystem, the rest · Maintainers: David Howells, Jarkko Sakkinen, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <redacted>
---
 include/keys/user-type.h     | 4 ++--
 security/keys/user_defined.c | 7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 386c31432789..4e67ff902a32 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h

@@ -26,8 +26,8 @@
  */
 struct user_key_payload {
 	struct rcu_head	rcu;		/* RCU destructor */
-	unsigned short	datalen;	/* length of this data */
-	char		data[] __aligned(__alignof__(u64)); /* actual data */
+	DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned short, datalen);
+	DECLARE_FLEX_ARRAY_ELEMENTS(char, data) __aligned(__alignof__(u64));
 };
 
 extern struct key_type key_type_user;

diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 749e2a4dcb13..2fb84894cdaa 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c

@@ -58,21 +58,18 @@ EXPORT_SYMBOL_GPL(key_type_logon);
  */
 int user_preparse(struct key_preparsed_payload *prep)
 {
-	struct user_key_payload *upayload;
+	struct user_key_payload *upayload = NULL;
 	size_t datalen = prep->datalen;
 
 	if (datalen <= 0 || datalen > 32767 || !prep->data)
 		return -EINVAL;
 
-	upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
-	if (!upayload)
+	if (mem_to_flex_dup(&upayload, prep->data, datalen, GFP_KERNEL))
 		return -ENOMEM;
 
 	/* attach the data */
 	prep->quotalen = datalen;
 	prep->payload.data[0] = upayload;
-	upayload->datalen = datalen;
-	memcpy(upayload->data, prep->data, datalen);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(user_preparse);

-- 
2.32.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help