Re: Oops (request_key_auth_describe) while running cve-2016-7042 from LTP

From: David Howells
Date: Fri Aug 30 2019 - 10:13:07 EST

Next message: Daniel Axtens: "Re: [PATCH v5 1/5] kasan: support backing vmalloc space with real shadow memory"
Previous message: Borislav Petkov: "Re: [PATCHv2 0/4] x86/mce: protect nr_cpus from rebooting by broadcast mce"
In reply to: Sachin Sant: "Re: Oops (request_key_auth_describe) while running cve-2016-7042 from LTP"
Next in thread: David Howells: "Re: Oops (request_key_auth_describe) while running cve-2016-7042 from LTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hillf Danton <hdanton@xxxxxxxx> wrote:

> - struct request_key_auth *rka = dereference_key_rcu(key);
> + struct request_key_auth *rka;
> +
> + rcu_read_lock();
> + rka = dereference_key_rcu(key);

This shouldn't help as the caller, proc_keys_show(), is holding the RCU read
lock across the call. The end of the function reads:

if (key->type->describe)
key->type->describe(key, m);
seq_putc(m, '\n');

rcu_read_unlock();
return 0;
}

and the documentation says "This method will be called with the RCU read lock
held".

I suspect the actual bugfix is this bit:

> + if (!rka)
> + goto out;

David

Next message: Daniel Axtens: "Re: [PATCH v5 1/5] kasan: support backing vmalloc space with real shadow memory"
Previous message: Borislav Petkov: "Re: [PATCHv2 0/4] x86/mce: protect nr_cpus from rebooting by broadcast mce"
In reply to: Sachin Sant: "Re: Oops (request_key_auth_describe) while running cve-2016-7042 from LTP"
Next in thread: David Howells: "Re: Oops (request_key_auth_describe) while running cve-2016-7042 from LTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]