diff options
Diffstat (limited to 'main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch')
| -rw-r--r-- | main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch b/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch deleted file mode 100644 index 792296068f..0000000000 --- a/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 25 Sep 2015 16:30:08 +0100 -Subject: KEYS: Fix race between key destruction and finding a keyring by name - -There appears to be a race between: - - (1) key_gc_unused_keys() which frees key->security and then calls - keyring_destroy() to unlink the name from the name list - - (2) find_keyring_by_name() which calls key_permission(), thus accessing - key->security, on a key before checking to see whether the key usage is 0 - (ie. the key is dead and might be cleaned up). - -Fix this by calling ->destroy() before cleaning up the core key data - -including key->security. - -Reported-by: Petr Matousek <pmatouse@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/keys/gc.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/security/keys/gc.c b/security/keys/gc.c -index c795237..39eac1f 100644 ---- a/security/keys/gc.c -+++ b/security/keys/gc.c -@@ -134,6 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys) - kdebug("- %u", key->serial); - key_check(key); - -+ /* Throw away the key data */ -+ if (key->type->destroy) -+ key->type->destroy(key); -+ - security_key_free(key); - - /* deal with the user's key tracking and quota */ -@@ -148,10 +152,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys) - if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) - atomic_dec(&key->user->nikeys); - -- /* now throw away the key memory */ -- if (key->type->destroy) -- key->type->destroy(key); -- - key_user_put(key->user); - - kfree(key->description); --- -cgit v0.11.2 - |