| From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sasha.levin@oracle.com> |
| Date: Mon, 29 Dec 2014 09:39:01 -0500 |
| Subject: KEYS: close race between key lookup and freeing |
| |
| From: Sasha Levin <sasha.levin@oracle.com> |
| |
| commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. |
| |
| When a key is being garbage collected, it's key->user would get put before |
| the ->destroy() callback is called, where the key is removed from it's |
| respective tracking structures. |
| |
| This leaves a key hanging in a semi-invalid state which leaves a window open |
| for a different task to try an access key->user. An example is |
| find_keyring_by_name() which would dereference key->user for a key that is |
| in the process of being garbage collected (where key->user was freed but |
| ->destroy() wasn't called yet - so it's still present in the linked list). |
| |
| This would cause either a panic, or corrupt memory. |
| |
| Fixes CVE-2014-9529. |
| |
| Signed-off-by: Sasha Levin <sasha.levin@oracle.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/keys/gc.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/security/keys/gc.c |
| +++ b/security/keys/gc.c |
| @@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys( |
| if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) |
| atomic_dec(&key->user->nikeys); |
| |
| - key_user_put(key->user); |
| - |
| /* now throw away the key memory */ |
| if (key->type->destroy) |
| key->type->destroy(key); |
| |
| + key_user_put(key->user); |
| + |
| kfree(key->description); |
| |
| #ifdef KEY_DEBUGGING |