CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
This commit is contained in:
Josh Boyer
parent
f5e13a9223
commit
0ace95ceec
|
|
@ -0,0 +1,43 @@
|
|||
From: Sasha Levin <sasha.levin () oracle ! com>
|
||||
Date: Mon, 29 Dec 2014 14:39:01 -0500
|
||||
Subject: [PATCH] KEYS: close race between key lookup and freeing
|
||||
|
||||
When a key is being garbage collected, it's key->user would get put before
|
||||
the ->destroy() callback is called, where the key is removed from it's
|
||||
respective tracking structures.
|
||||
|
||||
This leaves a key hanging in a semi-invalid state which leaves a window open
|
||||
for a different task to try an access key->user. An example is
|
||||
find_keyring_by_name() which would dereference key->user for a key that is
|
||||
in the process of being garbage collected (where key->user was freed but
|
||||
->destroy() wasn't called yet - so it's still present in the linked list).
|
||||
|
||||
This would cause either a panic, or corrupt memory.
|
||||
|
||||
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
---
|
||||
security/keys/gc.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/keys/gc.c b/security/keys/gc.c
|
||||
index 9609a7f0faea..c7952375ac53 100644
|
||||
--- a/security/keys/gc.c
|
||||
+++ b/security/keys/gc.c
|
||||
@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
|
||||
if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
|
||||
atomic_dec(&key->user->nikeys);
|
||||
|
||||
- key_user_put(key->user);
|
||||
-
|
||||
/* now throw away the key memory */
|
||||
if (key->type->destroy)
|
||||
key->type->destroy(key);
|
||||
|
||||
+ key_user_put(key->user);
|
||||
+
|
||||
kfree(key->description);
|
||||
|
||||
#ifdef KEY_DEBUGGING
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -682,6 +682,9 @@ Patch26122: batman-adv-Calculate-extra-tail-size-based-on-queued.patch
|
|||
#CVE-2014-9419 rhbz 1177260,1177263
|
||||
Patch26123: x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch
|
||||
|
||||
#CVE-2014-9529 rhbz 1179813 1179853
|
||||
Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
|
@ -1473,6 +1476,9 @@ ApplyPatch batman-adv-Calculate-extra-tail-size-based-on-queued.patch
|
|||
#CVE-2014-9419 rhbz 1177260,1177263
|
||||
ApplyPatch x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch
|
||||
|
||||
#CVE-2014-9529 rhbz 1179813 1179853
|
||||
ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2348,6 +2354,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Wed Jan 07 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
|
||||
- Enable POWERCAP and INTEL_RAPL
|
||||
|
||||
* Tue Jan 06 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
|
|
|||
Loading…
Reference in New Issue