diff options
author | David Howells <dhowells@redhat.com> | 2015-09-25 16:30:08 +0100 |
---|---|---|
committer | Ben Fennema <fennema@google.com> | 2016-11-08 17:22:55 -0800 |
commit | 26f2b76102bb5db3440a5bed3ff4be4b1536154b (patch) | |
tree | 1ca1a203ee8dc5cf4d0f167117b726d25f58548c | |
parent | 8f954b4d74e7774c5006cd058001b7484fd86918 (diff) | |
download | mediatek-26f2b76102bb5db3440a5bed3ff4be4b1536154b.tar.gz |
UPSTREAM: KEYS: Fix race between key destruction and finding a keyring by name
(cherry picked from commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7)
There appears to be a race between:
(1) key_gc_unused_keys() which frees key->security and then calls
keyring_destroy() to unlink the name from the name list
(2) find_keyring_by_name() which calls key_permission(), thus accessing
key->security, on a key before checking to see whether the key usage is 0
(ie. the key is dead and might be cleaned up).
Fix this by calling ->destroy() before cleaning up the core key data -
including key->security.
Reported-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Change-Id: I2bb1e7b7240dc81a172483ce35f569d357579b96
Bug: 31253168
-rw-r--r-- | security/keys/gc.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/security/keys/gc.c b/security/keys/gc.c index 797818695c87..483ebdf9c383 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -187,6 +187,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys) kdebug("- %u", key->serial); key_check(key); + /* Throw away the key data */ + if (key->type->destroy) + key->type->destroy(key); + security_key_free(key); /* deal with the user's key tracking and quota */ @@ -201,10 +205,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys) if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) atomic_dec(&key->user->nikeys); - /* now throw away the key memory */ - if (key->type->destroy) - key->type->destroy(key); - key_user_put(key->user); kfree(key->description); |