KEYS: Fix race between key destruction and finding a keyring by name
authorDavid Howells <dhowells@redhat.com>
Fri, 25 Sep 2015 15:30:08 +0000 (16:30 +0100)
committerDavid Howells <dhowells@redhat.com>
Fri, 25 Sep 2015 15:30:08 +0000 (16:30 +0100)
commit94c4554ba07adbdde396748ee7ae01e86cf2d8d7
tree13cb745526d6c46d8d2f2c0dc30eba546f1f5857
parentced255c0c5fb9ab52c9465982f23b1c14005ef8b
KEYS: Fix race between key destruction and finding a keyring by name

There appears to be a race between:

 (1) key_gc_unused_keys() which frees key->security and then calls
     keyring_destroy() to unlink the name from the name list

 (2) find_keyring_by_name() which calls key_permission(), thus accessing
     key->security, on a key before checking to see whether the key usage is 0
     (ie. the key is dead and might be cleaned up).

Fix this by calling ->destroy() before cleaning up the core key data -
including key->security.

Reported-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
security/keys/gc.c