Pandora Sourcecodes - pandora-kernel.git/commit

author	Sasha Levin <sasha.levin@oracle.com>
	Mon, 29 Dec 2014 14:39:01 +0000 (09:39 -0500)
committer	Ben Hutchings <ben@decadent.org.uk>
	Fri, 20 Feb 2015 00:49:41 +0000 (00:49 +0000)
commit	dc4a2f40de419c01b538c87f6bdfc15d574d9f7e
tree	87940004c641a03cc0c604b4a6c2b2bffd2983e3	tree \| snapshot
parent	38edb97e01d15f98755dd5acead722516ee923f6	commit \| diff

KEYS: close race between key lookup and freeing

commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.2: adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>