Merge branch 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull key handling fixes from David Howells:
 "Here are two patches, the first of which at least should go upstream
  immediately:

  (1) Prevent a user-triggerable crash in the keyrings destructor when a
      negatively instantiated keyring is garbage collected.  I have also
      seen this triggered for user type keys.

  (2) Prevent the user from using requesting that a keyring be created
      and instantiated through an upcall.  Doing so is probably safe
      since the keyring type ignores the arguments to its instantiation
      function - but we probably shouldn't let keyrings be created in
      this manner"

* 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  KEYS: Don't permit request_key() to construct a new keyring
  KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
This commit is contained in:
Linus Torvalds 2015-10-20 16:09:36 +09:00
commit ce1fad2740
2 changed files with 7 additions and 2 deletions

View File

@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kdebug("- %u", key->serial); kdebug("- %u", key->serial);
key_check(key); key_check(key);
/* Throw away the key data */ /* Throw away the key data if the key is instantiated */
if (key->type->destroy) if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
!test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
key->type->destroy)
key->type->destroy(key); key->type->destroy(key);
security_key_free(key); security_key_free(key);

View File

@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
kenter(""); kenter("");
if (ctx->index_key.type == &key_type_keyring)
return ERR_PTR(-EPERM);
user = key_user_lookup(current_fsuid()); user = key_user_lookup(current_fsuid());
if (!user) if (!user)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);