Message ID | 1421254051-23789-3-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Wed, Jan 14, 2015 at 04:47:31PM +0000, Luis Henriques wrote: > From: Sasha Levin <sasha.levin@oracle.com> > > When a key is being garbage collected, it's key->user would get put before > the ->destroy() callback is called, where the key is removed from it's > respective tracking structures. > > This leaves a key hanging in a semi-invalid state which leaves a window open > for a different task to try an access key->user. An example is > find_keyring_by_name() which would dereference key->user for a key that is > in the process of being garbage collected (where key->user was freed but > ->destroy() wasn't called yet - so it's still present in the linked list). > > This would cause either a panic, or corrupt memory. > > Fixes CVE-2014-9529. > > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > Signed-off-by: David Howells <dhowells@redhat.com> > (backported from commit a3a8784454692dd72e5d5d34dcdab17b4420e74c) > CVE-2014-9529 > BugLink: http://bugs.launchpad.net/bugs/1409048 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > security/keys/gc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/keys/gc.c b/security/keys/gc.c > index bf4d8da5a795..2e2395d6bd16 100644 > --- a/security/keys/gc.c > +++ b/security/keys/gc.c > @@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(struct key *key) > if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) > atomic_dec(&key->user->nikeys); > > - key_user_put(key->user); > - > /* now throw away the key memory */ > if (key->type->destroy) > key->type->destroy(key); > > + key_user_put(key->user); > + > kfree(key->description); > > #ifdef KEY_DEBUGGING > -- > 2.1.4 > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Applied to Precise master-next
diff --git a/security/keys/gc.c b/security/keys/gc.c index bf4d8da5a795..2e2395d6bd16 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(struct key *key) if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) atomic_dec(&key->user->nikeys); - key_user_put(key->user); - /* now throw away the key memory */ if (key->type->destroy) key->type->destroy(key); + key_user_put(key->user); + kfree(key->description); #ifdef KEY_DEBUGGING