mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-30 01:46:30 -05:00
52 lines
1.6 KiB
Diff
52 lines
1.6 KiB
Diff
From dc4a2f40de419c01b538c87f6bdfc15d574d9f7e Mon Sep 17 00:00:00 2001
|
|
From: Sasha Levin <sasha.levin@oracle.com>
|
|
Date: Mon, 29 Dec 2014 09:39:01 -0500
|
|
Subject: KEYS: close race between key lookup and freeing
|
|
|
|
commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
|
|
|
|
When a key is being garbage collected, it's key->user would get put before
|
|
the ->destroy() callback is called, where the key is removed from it's
|
|
respective tracking structures.
|
|
|
|
This leaves a key hanging in a semi-invalid state which leaves a window open
|
|
for a different task to try an access key->user. An example is
|
|
find_keyring_by_name() which would dereference key->user for a key that is
|
|
in the process of being garbage collected (where key->user was freed but
|
|
->destroy() wasn't called yet - so it's still present in the linked list).
|
|
|
|
This would cause either a panic, or corrupt memory.
|
|
|
|
Fixes CVE-2014-9529.
|
|
|
|
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
[bwh: Backported to 3.2: adjust indentation]
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
security/keys/gc.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/security/keys/gc.c b/security/keys/gc.c
|
|
index bf4d8da..2e2395d 100644
|
|
--- a/security/keys/gc.c
|
|
+++ b/security/keys/gc.c
|
|
@@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(struct key *key)
|
|
if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
|
|
atomic_dec(&key->user->nikeys);
|
|
|
|
- key_user_put(key->user);
|
|
-
|
|
/* now throw away the key memory */
|
|
if (key->type->destroy)
|
|
key->type->destroy(key);
|
|
|
|
+ key_user_put(key->user);
|
|
+
|
|
kfree(key->description);
|
|
|
|
#ifdef KEY_DEBUGGING
|
|
--
|
|
cgit v1.1
|
|
|