| From 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Fri, 25 Sep 2015 16:30:08 +0100 |
| Subject: KEYS: Fix race between key destruction and finding a keyring by name |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 upstream. |
| |
| There appears to be a race between: |
| |
| (1) key_gc_unused_keys() which frees key->security and then calls |
| keyring_destroy() to unlink the name from the name list |
| |
| (2) find_keyring_by_name() which calls key_permission(), thus accessing |
| key->security, on a key before checking to see whether the key usage is 0 |
| (ie. the key is dead and might be cleaned up). |
| |
| Fix this by calling ->destroy() before cleaning up the core key data - |
| including key->security. |
| |
| Reported-by: Petr Matousek <pmatouse@redhat.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/keys/gc.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/security/keys/gc.c |
| +++ b/security/keys/gc.c |
| @@ -187,6 +187,10 @@ static noinline void key_gc_unused_keys( |
| kdebug("- %u", key->serial); |
| key_check(key); |
| |
| + /* Throw away the key data */ |
| + if (key->type->destroy) |
| + key->type->destroy(key); |
| + |
| security_key_free(key); |
| |
| /* deal with the user's key tracking and quota */ |
| @@ -201,10 +205,6 @@ static noinline void key_gc_unused_keys( |
| if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) |
| atomic_dec(&key->user->nikeys); |
| |
| - /* now throw away the key memory */ |
| - if (key->type->destroy) |
| - key->type->destroy(key); |
| - |
| key_user_put(key->user); |
| |
| kfree(key->description); |