• Hillf Danton's avatar
    keys: Fix missing null pointer check in request_key_auth_describe() · d41a3eff
    Hillf Danton authored
    If a request_key authentication token key gets revoked, there's a window in
    which request_key_auth_describe() can see it with a NULL payload - but it
    makes no check for this and something like the following oops may occur:
    
    	BUG: Kernel NULL pointer dereference at 0x00000038
    	Faulting instruction address: 0xc0000000004ddf30
    	Oops: Kernel access of bad area, sig: 11 [#1]
    	...
    	NIP [...] request_key_auth_describe+0x90/0xd0
    	LR [...] request_key_auth_describe+0x54/0xd0
    	Call Trace:
    	[...] request_key_auth_describe+0x54/0xd0 (unreliable)
    	[...] proc_keys_show+0x308/0x4c0
    	[...] seq_read+0x3d0/0x540
    	[...] proc_reg_read+0x90/0x110
    	[...] __vfs_read+0x3c/0x70
    	[...] vfs_read+0xb4/0x1b0
    	[...] ksys_read+0x7c/0x130
    	[...] system_call+0x5c/0x70
    
    Fix this by checking for a NULL pointer when describing such a key.
    
    Also make the read routine check for a NULL pointer to be on the safe side.
    
    [DH: Modified to not take already-held rcu lock and modified to also check
     in the read routine]
    
    Fixes: 04c567d9 ("[PATCH] Keys: Fix race between two instantiators of a key")
    Reported-by: default avatarSachin Sant <sachinp@linux.vnet.ibm.com>
    Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarSachin Sant <sachinp@linux.vnet.ibm.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d41a3eff
Name
Last commit
Last update
..
apparmor Loading commit data...
integrity Loading commit data...
keys Loading commit data...
loadpin Loading commit data...
safesetid Loading commit data...
selinux Loading commit data...
smack Loading commit data...
tomoyo Loading commit data...
yama Loading commit data...
Kconfig Loading commit data...
Kconfig.hardening Loading commit data...
Makefile Loading commit data...
commoncap.c Loading commit data...
device_cgroup.c Loading commit data...
inode.c Loading commit data...
lsm_audit.c Loading commit data...
min_addr.c Loading commit data...
security.c Loading commit data...