From 18a6ac2634699280676c3e85892062e873229ccf Mon Sep 17 00:00:00 2001 From: Dragos Ciprian Nedelcu Date: Wed, 15 Jul 2020 14:51:21 +0200 Subject: Backport kernel fix from linux-yocto master. Fix is "KEYS: reaching the keys quotas correctly" form 2020-03-15. https://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto/ commit/?id=2e356101e72ab1361821b3af024d64877d9a798d Change-Id: I34a972978bc4c9b4fef496c22bdb468a099147ea Signed-off-by: Dragos Ciprian Nedelcu --- ...2-KEYS-reaching-the-keys-quotas-correctly.patch | 69 ++++++++++++++++++++++ patches/security/keys.scc | 1 + 2 files changed, 70 insertions(+) create mode 100644 patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch create mode 100644 patches/security/keys.scc diff --git a/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch b/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch new file mode 100644 index 0000000..37b06c6 --- /dev/null +++ b/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch @@ -0,0 +1,69 @@ +From 2e356101e72ab1361821b3af024d64877d9a798d Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Fri, 28 Feb 2020 12:41:51 +0800 +Subject: KEYS: reaching the keys quotas correctly + +Currently, when we add a new user key, the calltrace as below: + +add_key() + key_create_or_update() + key_alloc() + __key_instantiate_and_link + generic_key_instantiate + key_payload_reserve + ...... + +Since commit a08bf91ce28e ("KEYS: allow reaching the keys quotas exactly"), +we can reach max bytes/keys in key_alloc, but we forget to remove this +limit when we reserver space for payload in key_payload_reserve. So we +can only reach max keys but not max bytes when having delta between plen +and type->def_datalen. Remove this limit when instantiating the key, so we +can keep consistent with key_alloc. + +Also, fix the similar problem in keyctl_chown_key(). + +Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys") +Fixes: a08bf91ce28e ("KEYS: allow reaching the keys quotas exactly") +Cc: stable@vger.kernel.org # 5.0.x +Cc: Eric Biggers +Signed-off-by: Yang Xu +Reviewed-by: Jarkko Sakkinen +Reviewed-by: Eric Biggers +Signed-off-by: Jarkko Sakkinen +--- + security/keys/key.c | 2 +- + security/keys/keyctl.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/security/keys/key.c b/security/keys/key.c +index 718bf7217420..e959b3c96b48 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -382,7 +382,7 @@ int key_payload_reserve(struct key *key, size_t datalen) + spin_lock(&key->user->lock); + + if (delta > 0 && +- (key->user->qnbytes + delta >= maxbytes || ++ (key->user->qnbytes + delta > maxbytes || + key->user->qnbytes + delta < key->user->qnbytes)) { + ret = -EDQUOT; + } +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 9b898c969558..d1a3dea58dee 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -937,8 +937,8 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) + key_quota_root_maxbytes : key_quota_maxbytes; + + spin_lock(&newowner->lock); +- if (newowner->qnkeys + 1 >= maxkeys || +- newowner->qnbytes + key->quotalen >= maxbytes || ++ if (newowner->qnkeys + 1 > maxkeys || ++ newowner->qnbytes + key->quotalen > maxbytes || + newowner->qnbytes + key->quotalen < + newowner->qnbytes) + goto quota_overrun; +-- +cgit v1.2.2-1-g5e49 + + diff --git a/patches/security/keys.scc b/patches/security/keys.scc new file mode 100644 index 0000000..0c937e0 --- /dev/null +++ b/patches/security/keys.scc @@ -0,0 +1 @@ +patch 0002-KEYS-reaching-the-keys-quotas-correctly.patch -- cgit v1.2.3-54-g00ecf