diff mbox

[CVE-2014-9529,Lucid] KEYS: close race between key lookup and freeing

Message ID 1421254051-23789-2-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques Jan. 14, 2015, 4:47 p.m. UTC 
From: Sasha Levin <sasha.levin@oracle.com>

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
(backported from commit a3a8784454692dd72e5d5d34dcdab17b4420e74c)
CVE-2014-9529
BugLink: http://bugs.launchpad.net/bugs/1409048
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 security/keys/key.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Brad Figg Jan. 15, 2015, 7:05 p.m. UTC | #1 
On Wed, Jan 14, 2015 at 04:47:30PM +0000, Luis Henriques wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> When a key is being garbage collected, it's key->user would get put before
> the ->destroy() callback is called, where the key is removed from it's
> respective tracking structures.
> 
> This leaves a key hanging in a semi-invalid state which leaves a window open
> for a different task to try an access key->user. An example is
> find_keyring_by_name() which would dereference key->user for a key that is
> in the process of being garbage collected (where key->user was freed but
> ->destroy() wasn't called yet - so it's still present in the linked list).
> 
> This would cause either a panic, or corrupt memory.
> 
> Fixes CVE-2014-9529.
> 
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> (backported from commit a3a8784454692dd72e5d5d34dcdab17b4420e74c)
> CVE-2014-9529
> BugLink: http://bugs.launchpad.net/bugs/1409048
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  security/keys/key.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/keys/key.c b/security/keys/key.c
> index e50d264c9ad1..27d5ad7c4a4d 100644
> --- a/security/keys/key.c
> +++ b/security/keys/key.c
> @@ -577,12 +577,12 @@ static void key_cleanup(struct work_struct *work)
>  	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
>  		atomic_dec(&key->user->nikeys);
>  
> -	key_user_put(key->user);
> -
>  	/* now throw away the key memory */
>  	if (key->type->destroy)
>  		key->type->destroy(key);
>  
> +	key_user_put(key->user);
> +
>  	kfree(key->description);
>  
>  #ifdef KEY_DEBUGGING
> -- 
> 2.1.4
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Applied to Lucid master-next
diff mbox

Patch

diff --git a/security/keys/key.c b/security/keys/key.c
index e50d264c9ad1..27d5ad7c4a4d 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -577,12 +577,12 @@  static void key_cleanup(struct work_struct *work)
 	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
 		atomic_dec(&key->user->nikeys);
 
-	key_user_put(key->user);
-
 	/* now throw away the key memory */
 	if (key->type->destroy)
 		key->type->destroy(key);
 
+	key_user_put(key->user);
+
 	kfree(key->description);
 
 #ifdef KEY_DEBUGGING