• Sasha Levin's avatar
    KEYS: close race between key lookup and freeing · a7033e30
    Sasha Levin authored
    commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
    
    When a key is being garbage collected, it's key->user would get put before
    the ->destroy() callback is called, where the key is removed from it's
    respective tracking structures.
    
    This leaves a key hanging in a semi-invalid state which leaves a window open
    for a different task to try an access key->user. An example is
    find_keyring_by_name() which would dereference key->user for a key that is
    in the process of being garbage collected (where key->user was freed but
    ->destroy() wasn't called yet - so it's still present in the linked list).
    
    This would cause either a panic, or corrupt memory.
    
    Fixes CVE-2014-9529.
    Signed-off-by: 's avatarSasha Levin <sasha.levin@oracle.com>
    Signed-off-by: 's avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    a7033e30
Name
Last commit
Last update
..
encrypted-keys Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
compat.c Loading commit data...
gc.c Loading commit data...
internal.h Loading commit data...
key.c Loading commit data...
keyctl.c Loading commit data...
keyring.c Loading commit data...
permission.c Loading commit data...
proc.c Loading commit data...
process_keys.c Loading commit data...
request_key.c Loading commit data...
request_key_auth.c Loading commit data...
sysctl.c Loading commit data...
trusted.c Loading commit data...
trusted.h Loading commit data...
user_defined.c Loading commit data...