[PATCH] KEYS: Destroy by key type before removing the rest of the key

From: Sasha Levin
Date: Sat Nov 29 2014 - 22:25:05 EST

Next message: Sasha Levin: "Re: [RFC v2 1/2] compiler: use compiler to detect integer overflows"
Previous message: Chen Gang: "Re: [PATCH v2] virt: kvm: arm: vgic: Process the failure case when kvm_register_device_ops() fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We should make sure that the key type does it's destruction dance first
before we start tearing down the key structure itself so that we won't
have a live key in a semi-coherent state.

This would prevent a race between key destruction and lookup in the
keyring case, resulting in a use-after-free.

Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
---
security/keys/gc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/keys/gc.c b/security/keys/gc.c
index 9609a7f..8f3b518 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -134,6 +134,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kdebug("- %u", key->serial);
key_check(key);

+ if (key->type->destroy)
+ key->type->destroy(key);
+
security_key_free(key);

/* deal with the user's key tracking and quota */
@@ -151,9 +154,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
key_user_put(key->user);

/* now throw away the key memory */
- if (key->type->destroy)
- key->type->destroy(key);
-
kfree(key->description);

#ifdef KEY_DEBUGGING
--
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sasha Levin: "Re: [RFC v2 1/2] compiler: use compiler to detect integer overflows"
Previous message: Chen Gang: "Re: [PATCH v2] virt: kvm: arm: vgic: Process the failure case when kvm_register_device_ops() fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]