[thirdparty/kernel/stable-queue.git] / releases / 3.10.67 / keys-close-race-between-key-lookup-and-freeing.patch

From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001
From: Sasha Levin <sasha.levin@oracle.com>
Date: Mon, 29 Dec 2014 09:39:01 -0500
Subject: KEYS: close race between key lookup and freeing

From: Sasha Levin <sasha.levin@oracle.com>

commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/gc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys(
 		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
 			atomic_dec(&key->user->nikeys);
 
-		key_user_put(key->user);
-
 		/* now throw away the key memory */
 		if (key->type->destroy)
 			key->type->destroy(key);
 
+		key_user_put(key->user);
+
 		kfree(key->description);
 
 #ifdef KEY_DEBUGGING
Commit	Line	Data
025b732f GKH	1	From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sasha.levin@oracle.com>
	3	Date: Mon, 29 Dec 2014 09:39:01 -0500
	4	Subject: KEYS: close race between key lookup and freeing
	5
	6	From: Sasha Levin <sasha.levin@oracle.com>
	7
	8	commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
	9
	10	When a key is being garbage collected, it's key->user would get put before
	11	the ->destroy() callback is called, where the key is removed from it's
	12	respective tracking structures.
	13
	14	This leaves a key hanging in a semi-invalid state which leaves a window open
	15	for a different task to try an access key->user. An example is
	16	find_keyring_by_name() which would dereference key->user for a key that is
	17	in the process of being garbage collected (where key->user was freed but
	18	->destroy() wasn't called yet - so it's still present in the linked list).
	19
	20	This would cause either a panic, or corrupt memory.
	21
	22	Fixes CVE-2014-9529.
	23
	24	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
	25	Signed-off-by: David Howells <dhowells@redhat.com>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27
	28	---
	29	security/keys/gc.c \| 4 ++--
	30	1 file changed, 2 insertions(+), 2 deletions(-)
	31
	32	--- a/security/keys/gc.c
	33	+++ b/security/keys/gc.c
	34	@@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys(
	35	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
	36	atomic_dec(&key->user->nikeys);
	37
	38	- key_user_put(key->user);
	39	-
	40	/* now throw away the key memory */
	41	if (key->type->destroy)
	42	key->type->destroy(key);
	43
	44	+ key_user_put(key->user);
	45	+
	46	kfree(key->description);
	47
	48	#ifdef KEY_DEBUGGING