56 lines
2.0 KiB
Diff
56 lines
2.0 KiB
Diff
commit 94efe72f762e2c147d8146d637d5ece5614c8d94
|
|
tree 002e4719541ad838342e01a5f8ff63ae0a618b29
|
|
parent bcf945d36fa0598f41ac4ad46a9dc43135460263
|
|
author David Howells <dhowells@redhat.com> 1123186027 -0700
|
|
committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
|
|
|
|
[PATCH] Destruction of failed keyring oopses
|
|
|
|
The attached patch makes sure that a keyring that failed to instantiate
|
|
properly is destroyed without oopsing [CAN-2005-2099].
|
|
|
|
The problem occurs in three stages:
|
|
|
|
(1) The key allocator initialises the type-specific data to all zeroes. In
|
|
the case of a keyring, this will become a link in the keyring name list
|
|
when the keyring is instantiated.
|
|
|
|
(2) If a user (any user) attempts to add a keyring with anything other than
|
|
an empty payload, the keyring instantiation function will fail with an
|
|
error and won't add the keyring to the name list.
|
|
|
|
(3) The keyring's destructor then sees that the keyring has a description
|
|
(name) and tries to remove the keyring from the name list, which oopses
|
|
because the link pointers are both zero.
|
|
|
|
This bug permits any user to take down a box trivially.
|
|
|
|
Signed-Off-By: David Howells <dhowells@redhat.com>
|
|
Signed-off-by: Andrew Morton <akpm@osdl.org>
|
|
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
|
|
I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M security/keys/keyring.c
|
|
|
|
Key:
|
|
S: Skipped
|
|
I: Included Included verbatim
|
|
D: Deleted Manually deleted by subsequent user edit
|
|
R: Revised Manually revised by subsequent user edit
|
|
|
|
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
|
|
--- a/security/keys/keyring.c
|
|
+++ b/security/keys/keyring.c
|
|
@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *
|
|
|
|
if (keyring->description) {
|
|
write_lock(&keyring_name_lock);
|
|
- list_del(&keyring->type_data.link);
|
|
+
|
|
+ if (keyring->type_data.link.next != NULL &&
|
|
+ !list_empty(&keyring->type_data.link))
|
|
+ list_del(&keyring->type_data.link);
|
|
+
|
|
write_unlock(&keyring_name_lock);
|
|
}
|
|
|