David Howells 63c8e45255 KEYS: Fix race between updating and finding a negative key
commit 363b02dab0 upstream.

Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
error into one field such that:

 (1) The instantiation state can be modified/read atomically.

 (2) The error can be accessed atomically with the state.

 (3) The error isn't stored unioned with the payload pointers.

This deals with the problem that the state is spread over three different
objects (two bits and a separate variable) and reading or updating them
atomically isn't practical, given that not only can uninstantiated keys
change into instantiated or rejected keys, but rejected keys can also turn
into instantiated keys - and someone accessing the key might not be using
any locking.

The main side effect of this problem is that what was held in the payload
may change, depending on the state.  For instance, you might observe the
key to be in the rejected state.  You then read the cached error, but if
the key semaphore wasn't locked, the key might've become instantiated
between the two reads - and you might now have something in hand that isn't
actually an error code.

The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
code if the key is negatively instantiated.  The key_is_instantiated()
function is replaced with key_is_positive() to avoid confusion as negative
keys are also 'instantiated'.

Additionally, barriering is included:

 (1) Order payload-set before state-set during instantiation.

 (2) Order state-read before payload-read when using the key.

Further separate barriering is necessary if RCU is being used to access the
payload content after reading the payload pointers.

Fixes: 146aa8b145 ("KEYS: Merge the type-specific data with the payload data")
Reported-by: Eric Biggers <>
Signed-off-by: David Howells <>
Reviewed-by: Eric Biggers <>
Signed-off-by: Greg Kroah-Hartman <>
2017-10-27 10:38:11 +02:00
apparmor apparmor: fix change_hat not finding hat after policy replacement 2016-11-21 18:01:28 +11:00
integrity ima: accept previously set IMA_NEW_FILE 2017-05-25 15:44:34 +02:00
keys KEYS: Fix race between updating and finding a negative key 2017-10-27 10:38:11 +02:00
loadpin LSM: LoadPin: provide enablement CONFIG 2016-05-17 20:10:30 +10:00
selinux selinux: fix off-by-one in setprocattr 2017-02-14 15:25:34 -08:00
smack lsm: fix smack_inode_removexattr and xattr_getsecurity memleak 2017-10-12 11:51:19 +02:00
tomoyo mm: replace get_user_pages_remote() write/force parameters with gup_flags 2016-10-19 08:12:02 -07:00
yama Yama: fix double-spinlock and user access in atomic context 2016-05-26 09:56:18 +10:00
Kconfig - force check_object_size() to be inline too 2016-09-07 14:03:49 -07:00
Makefile LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00
commoncap.c xattr: Add __vfs_{get,set,remove}xattr helpers 2016-10-07 20:10:44 -04:00
device_cgroup.c security/device_cgroup: Fix RCU_LOCKDEP_WARN() condition 2015-09-03 18:13:10 -07:00
inode.c Merge branch 'for-linus' of git:// 2016-10-10 20:16:43 -07:00
lsm_audit.c Merge branch 'next' of git:// 2016-10-04 14:48:27 -07:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-04-23 08:56:31 +10:00
security.c security, overlayfs: Provide hook to correctly label newly created files 2016-08-08 20:46:46 -04:00