| From: David Howells <dhowells@redhat.com> |
| Date: Fri, 25 Sep 2015 16:30:08 +0100 |
| Subject: KEYS: Fix race between key destruction and finding a keyring by name |
| |
| commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 upstream. |
| |
| There appears to be a race between: |
| |
| (1) key_gc_unused_keys() which frees key->security and then calls |
| keyring_destroy() to unlink the name from the name list |
| |
| (2) find_keyring_by_name() which calls key_permission(), thus accessing |
| key->security, on a key before checking to see whether the key usage is 0 |
| (ie. the key is dead and might be cleaned up). |
| |
| Fix this by calling ->destroy() before cleaning up the core key data - |
| including key->security. |
| |
| Reported-by: Petr Matousek <pmatouse@redhat.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| [carnil: Backported to 3.2: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| security/keys/gc.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/security/keys/gc.c |
| +++ b/security/keys/gc.c |
| @@ -172,6 +172,10 @@ static noinline void key_gc_unused_key(s |
| { |
| key_check(key); |
| |
| + /* Throw away the key data */ |
| + if (key->type->destroy) |
| + key->type->destroy(key); |
| + |
| security_key_free(key); |
| |
| /* deal with the user's key tracking and quota */ |
| @@ -186,10 +190,6 @@ static noinline void key_gc_unused_key(s |
| if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) |
| atomic_dec(&key->user->nikeys); |
| |
| - /* now throw away the key memory */ |
| - if (key->type->destroy) |
| - key->type->destroy(key); |
| - |
| key_user_put(key->user); |
| |
| kfree(key->description); |