diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-10-20 03:09:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-10-20 03:09:36 -0400 |
| commit | ce1fad2740c648a4340f6f6c391a8a83769d2e8c (patch) | |
| tree | 8d19a392845cae4ca37639ace41105c34a7b20d1 | |
| parent | 1099f86044111e9a7807f09523e42d4c9d0fb781 (diff) | |
| parent | 911b79cde95c7da0ec02f48105358a36636b7a71 (diff) | |
Merge branch 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull key handling fixes from David Howells:
"Here are two patches, the first of which at least should go upstream
immediately:
(1) Prevent a user-triggerable crash in the keyrings destructor when a
negatively instantiated keyring is garbage collected. I have also
seen this triggered for user type keys.
(2) Prevent the user from using requesting that a keyring be created
and instantiated through an upcall. Doing so is probably safe
since the keyring type ignores the arguments to its instantiation
function - but we probably shouldn't let keyrings be created in
this manner"
* 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
KEYS: Don't permit request_key() to construct a new keyring
KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
| -rw-r--r-- | security/keys/gc.c | 6 | ||||
| -rw-r--r-- | security/keys/request_key.c | 3 |
2 files changed, 7 insertions, 2 deletions
diff --git a/security/keys/gc.c b/security/keys/gc.c index 39eac1fd5706..addf060399e0 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
| @@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys) | |||
| 134 | kdebug("- %u", key->serial); | 134 | kdebug("- %u", key->serial); |
| 135 | key_check(key); | 135 | key_check(key); |
| 136 | 136 | ||
| 137 | /* Throw away the key data */ | 137 | /* Throw away the key data if the key is instantiated */ |
| 138 | if (key->type->destroy) | 138 | if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && |
| 139 | !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && | ||
| 140 | key->type->destroy) | ||
| 139 | key->type->destroy(key); | 141 | key->type->destroy(key); |
| 140 | 142 | ||
| 141 | security_key_free(key); | 143 | security_key_free(key); |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 486ef6fa393b..0d6253124278 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
| @@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, | |||
| 440 | 440 | ||
| 441 | kenter(""); | 441 | kenter(""); |
| 442 | 442 | ||
| 443 | if (ctx->index_key.type == &key_type_keyring) | ||
| 444 | return ERR_PTR(-EPERM); | ||
| 445 | |||
| 443 | user = key_user_lookup(current_fsuid()); | 446 | user = key_user_lookup(current_fsuid()); |
| 444 | if (!user) | 447 | if (!user) |
| 445 | return ERR_PTR(-ENOMEM); | 448 | return ERR_PTR(-ENOMEM); |