All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] KEYS: Fix a NULL pointer deref in the user-defined key type
@ 2011-11-15 22:09 David Howells
  2011-11-15 22:54 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: David Howells @ 2011-11-15 22:09 UTC (permalink / raw)
  To: torvalds, akpm
  Cc: linux-security-module, keyrings, linux-kernel, David Howells,
	Jeff Layton, Neil Horman, Steve Dickson, James Morris

Fix a NULL pointer deref in the user-defined key type whereby updating a
negative key into a fully instantiated key will cause an oops to occur when the
code attempts to free the non-existent old payload.

This results in an oops that looks something like the following:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
PGD 3391d067 PUD 3894a067 PMD 0
Oops: 0002 [#1] SMP
CPU 1
Modules linked in:

Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
Stack:
 ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
 ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
 ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
Call Trace:
 [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
 [<ffffffff8117bfea>] user_update+0x8d/0xa2
 [<ffffffff8117723a>] key_create_or_update+0x236/0x270
 [<ffffffff811789b1>] sys_add_key+0x123/0x17e
 [<ffffffff8105d0de>] ? trace_hardirqs_on_caller+0x11e/0x155
 [<ffffffff811d92ee>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
---

 security/keys/user_defined.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 5b366d7..69ff52c 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -102,7 +102,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
 		key->expiry = 0;
 	}
 
-	kfree_rcu(zap, rcu);
+	if (zap)
+		kfree_rcu(zap, rcu);
 
 error:
 	return ret;


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-11-15 22:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-15 22:09 [PATCH] KEYS: Fix a NULL pointer deref in the user-defined key type David Howells
2011-11-15 22:54 ` Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.