Re: [syzbot] [keyrings?] [lsm?] KASAN: slab-use-after-free Read in key_put

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Howells <dhowells@redhat.com>
To: syzbot <syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com>
Cc: dhowells@redhat.com, jarkko@kernel.org, jmorris@namei.org,
	Oleg Nesterov <oleg@redhat.com>,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, paul@paul-moore.com,
	serge@hallyn.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [keyrings?] [lsm?] KASAN: slab-use-after-free Read in key_put
Date: Wed, 19 Mar 2025 15:20:19 +0000	[thread overview]
Message-ID: <2831141.1742397619@warthog.procyon.org.uk> (raw)
In-Reply-To: <673b6aec.050a0220.87769.004a.GAE@google.com>

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit 91286ccf56bb5030c0c84b11684f06142f50e681
Author: David Howells <dhowells@redhat.com>
Date:   Tue Mar 18 09:54:54 2025 +0000

    keys: Fix UAF in key_put()
    
    Once a key's reference count has been reduced to 0, the garbage collector
    thread may destroy it at any time and so key_put() is not allowed to touch
    the key after that point.  The most key_put() is normally allowed to do is
    to touch key_gc_work as that's a static global variable.
    
    However, in an effort to speed up the reclamation of quota, this is now
    done in key_put() once the key's usage is reduced to 0 - but now the code
    is looking at the key after the deadline, which is forbidden.
    
    Fix this by using a flag to indicate that a key can be gc'd now rather than
    looking at the key's refcount in the garbage collector.
    
    Fixes: 9578e327b2b4 ("keys: update key quotas in key_put()")
    Reported-by: syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Jarkko Sakkinen <jarkko@kernel.org>
    cc: Oleg Nesterov <oleg@redhat.com>
    cc: Kees Cook <kees@kernel.org>
    cc: Hillf Danton <hdanton@sina.com>,
    cc: keyrings@vger.kernel.org
    Cc: stable@vger.kernel.org # v6.10+

diff --git a/include/linux/key.h b/include/linux/key.h
index 074dca3222b9..ba05de8579ec 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -236,6 +236,7 @@ struct key {
 #define KEY_FLAG_ROOT_CAN_INVAL	7	/* set if key can be invalidated by root without permission */
 #define KEY_FLAG_KEEP		8	/* set if key should not be removed */
 #define KEY_FLAG_UID_KEYRING	9	/* set if key is a user or user session keyring */
+#define KEY_FLAG_FINAL_PUT	10	/* set if final put has happened on key */
 
 	/* the key type and key description string
 	 * - the desc is used to match a key against search criteria
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 7d687b0962b1..f27223ea4578 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -218,8 +218,10 @@ static void key_garbage_collector(struct work_struct *work)
 		key = rb_entry(cursor, struct key, serial_node);
 		cursor = rb_next(cursor);
 
-		if (refcount_read(&key->usage) == 0)
+		if (test_bit(KEY_FLAG_FINAL_PUT, &key->flags)) {
+			smp_mb(); /* Clobber key->user after FINAL_PUT seen. */
 			goto found_unreferenced_key;
+		}
 
 		if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
 			if (key->type == key_gc_dead_keytype) {
diff --git a/security/keys/key.c b/security/keys/key.c
index 3d7d185019d3..7198cd2ac3a3 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -658,6 +658,8 @@ void key_put(struct key *key)
 				key->user->qnbytes -= key->quotalen;
 				spin_unlock_irqrestore(&key->user->lock, flags);
 			}
+			smp_mb(); /* key->user before FINAL_PUT set. */
+			set_bit(KEY_FLAG_FINAL_PUT, &key->flags);
 			schedule_work(&key_gc_work);
 		}
 	}

next prev parent reply	other threads:[~2025-03-19 15:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-18 16:27 [syzbot] [keyrings?] [lsm?] KASAN: slab-use-after-free Read in key_put syzbot
2024-11-18 21:27 ` Suraj Sonawane
2024-11-18 21:37   ` syzbot
2024-11-19 10:36 ` syzbot
2025-03-19 15:20 ` David Howells [this message]
2025-03-19 15:49   ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:074dca3222b dfblob:ba05de8579e dfblob:7d687b0962b
dfblob:f27223ea457 dfblob:3d7d185019d dfblob:7198cd2ac3a )
 OR (
bs:"Re: [syzbot] [keyrings?] [lsm?] KASAN: slab-use-after-free Read in key_put" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2831141.1742397619@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).