[CVE-2014-9529][Lucid] KEYS: close race between key lookup and freeing
Luis Henriques
luis.henriques at canonical.com
Wed Jan 14 16:47:30 UTC 2015
From: Sasha Levin <sasha.levin at oracle.com>
When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
Fixes CVE-2014-9529.
Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
Signed-off-by: David Howells <dhowells at redhat.com>
(backported from commit a3a8784454692dd72e5d5d34dcdab17b4420e74c)
CVE-2014-9529
BugLink: http://bugs.launchpad.net/bugs/1409048
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
security/keys/key.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/keys/key.c b/security/keys/key.c
index e50d264c9ad1..27d5ad7c4a4d 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -577,12 +577,12 @@ static void key_cleanup(struct work_struct *work)
if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
atomic_dec(&key->user->nikeys);
- key_user_put(key->user);
-
/* now throw away the key memory */
if (key->type->destroy)
key->type->destroy(key);
+ key_user_put(key->user);
+
kfree(key->description);
#ifdef KEY_DEBUGGING
--
2.1.4
More information about the kernel-team
mailing list