Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-11-01 10:33:27 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/security/keys
History
Sasha Levin a7033e302d KEYS: close race between key lookup and freeing 
commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-01-29 17:40:56 -08:00
..
encrypted-keys KEYS: Fix stale key registration at error path 2015-01-08 09:58:16 -08:00
compat.c
gc.c KEYS: close race between key lookup and freeing 2015-01-29 17:40:56 -08:00
internal.h aio: don't include aio.h in sched.h 2013-05-07 20:16:25 -07:00
Kconfig
key.c
keyctl.c aio: don't include aio.h in sched.h 2013-05-07 20:16:25 -07:00
keyring.c
Makefile
permission.c
proc.c
process_keys.c
request_key.c
request_key_auth.c
sysctl.c
trusted.c
trusted.h
user_defined.c