From: ebiggers3@gmail.com (Eric Biggers)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 6/7] KEYS: load key flags and expiry time atomically in proc_keys_show()
Date: Wed, 27 Sep 2017 12:50:46 -0700 [thread overview]
Message-ID: <20170927195047.122358-7-ebiggers3@gmail.com> (raw)
In-Reply-To: <20170927195047.122358-1-ebiggers3@gmail.com>
From: Eric Biggers <ebiggers@google.com>
In proc_keys_show(), the key semaphore is not held, so the key ->flags
and ->expiry can be changed concurrently. We therefore should read them
atomically just once. Otherwise /proc/keys may show an inconsistent
state, such a key that is negative ('N') but not instantiated ('I').
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
security/keys/proc.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/security/keys/proc.c b/security/keys/proc.c
index de834309d100..a038069ac46a 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -179,7 +179,9 @@ static int proc_keys_show(struct seq_file *m, void *v)
struct rb_node *_p = v;
struct key *key = rb_entry(_p, struct key, serial_node);
struct timespec now;
+ time_t expiry;
unsigned long timo;
+ unsigned long flags;
key_ref_t key_ref, skey_ref;
char xbuf[16];
int rc;
@@ -217,12 +219,13 @@ static int proc_keys_show(struct seq_file *m, void *v)
rcu_read_lock();
/* come up with a suitable timeout value */
- if (key->expiry == 0) {
+ expiry = READ_ONCE(key->expiry);
+ if (expiry == 0) {
memcpy(xbuf, "perm", 5);
- } else if (now.tv_sec >= key->expiry) {
+ } else if (now.tv_sec >= expiry) {
memcpy(xbuf, "expd", 5);
} else {
- timo = key->expiry - now.tv_sec;
+ timo = expiry - now.tv_sec;
if (timo < 60)
sprintf(xbuf, "%lus", timo);
@@ -236,18 +239,19 @@ static int proc_keys_show(struct seq_file *m, void *v)
sprintf(xbuf, "%luw", timo / (60*60*24*7));
}
-#define showflag(KEY, LETTER, FLAG) \
- (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
+#define showflag(FLAGS, LETTER, FLAG) \
+ ((FLAGS & (1 << FLAG)) ? LETTER : '-')
+ flags = READ_ONCE(key->flags);
seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
key->serial,
- showflag(key, 'I', KEY_FLAG_INSTANTIATED),
- showflag(key, 'R', KEY_FLAG_REVOKED),
- showflag(key, 'D', KEY_FLAG_DEAD),
- showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
- showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
- showflag(key, 'N', KEY_FLAG_NEGATIVE),
- showflag(key, 'i', KEY_FLAG_INVALIDATED),
+ showflag(flags, 'I', KEY_FLAG_INSTANTIATED),
+ showflag(flags, 'R', KEY_FLAG_REVOKED),
+ showflag(flags, 'D', KEY_FLAG_DEAD),
+ showflag(flags, 'Q', KEY_FLAG_IN_QUOTA),
+ showflag(flags, 'U', KEY_FLAG_USER_CONSTRUCT),
+ showflag(flags, 'N', KEY_FLAG_NEGATIVE),
+ showflag(flags, 'i', KEY_FLAG_INVALIDATED),
refcount_read(&key->usage),
xbuf,
key->perm,
--
2.14.2.822.g60be5d43e6-goog
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-09-27 19:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 19:50 [PATCH v3 0/7] KEYS: instantiation and atomicity fixes Eric Biggers
2017-09-27 19:50 ` [PATCH v3 1/7] KEYS: don't let add_key() update an uninstantiated key Eric Biggers
2017-09-27 19:50 ` [PATCH v3 2/7] KEYS: fix race between updating and finding negative key Eric Biggers
2017-09-27 19:50 ` [PATCH v3 3/7] KEYS: load key flags atomically in key_is_instantiated() Eric Biggers
2017-09-27 19:50 ` [PATCH v3 4/7] KEYS: load key flags and expiry time atomically in key_validate() Eric Biggers
2017-09-27 19:50 ` [PATCH v3 5/7] KEYS: load key flags and expiry time atomically in keyring_search_iterator() Eric Biggers
2017-09-27 19:50 ` Eric Biggers [this message]
2017-09-27 19:50 ` [PATCH v3 7/7] KEYS: remove KEY_FLAG_NEGATIVE Eric Biggers
2017-10-04 14:34 ` [PATCH v3 1/7] KEYS: don't let add_key() update an uninstantiated key David Howells
2017-10-04 16:33 ` [PATCH v3 2/7] KEYS: fix race between updating and finding negative key David Howells
2017-10-12 15:27 ` [PATCH v3 1/7] KEYS: don't let add_key() update an uninstantiated key David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170927195047.122358-7-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).