All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Jeffery <djeffery@redhat.com>
To: keyrings@linux-nfs.org
Cc: David Howells <dhowells@redhat.com>, linux-kernel@vger.kernel.org
Subject: [PATCH] Don't leak a key reference if request_key() tries to use a revoked keyring
Date: Wed, 11 Feb 2015 16:26:47 -0500	[thread overview]
Message-ID: <20150211212647.GA425@rage.redhat.com> (raw)

If a request_key() call to allocate and fill out a key attempts to insert the
key structure into a revoked keyring, the key will leak, using memory and part
of the user's key quota until the system reboots. This is from a failure of
construct_alloc_key() to decrement the key's reference count after the attempt
to insert into the requested keyring is rejected.

key_put() needs to be called in the link_prealloc_failed callpath to ensure
the unused key is released.

Signed-off-by: David Jeffery <djeffery@redhat.com>

---

The basic way to trigger this is to use keyctl to revoke a session's keyring,
then do an action which will trigger request_key().  request_key() will fail
and a key will leak.


diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 0c7aea4..486ef6f 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -414,6 +414,7 @@ link_check_failed:
 
 link_prealloc_failed:
 	mutex_unlock(&user->cons_lock);
+	key_put(key);
 	kleave(" = %d [prelink]", ret);
 	return ret;
 

             reply	other threads:[~2015-02-11 21:26 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-11 21:26 David Jeffery [this message]
2015-02-12 16:46 ` [PATCH] Don't leak a key reference if request_key() tries to use a revoked keyring David Howells
  -- strict thread matches above, loose matches on Subject: below --
2015-02-12 16:45 David Howells
2015-02-16  2:27 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150211212647.GA425@rage.redhat.com \
    --to=djeffery@redhat.com \
    --cc=dhowells@redhat.com \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.