An error occurred while fetching folder content.

AndroidKernelMSM

UPSTREAM: KEYS: close race between key lookup and freeing

Sasha Levin authored 8 years ago

(cherry pick from commit a3a87844)

When a key is being garbage collected, it's key->user would get put
before the ->destroy() callback is called, where the key is removed from
it's respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window
open for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that
is in the process of being garbage collected (where key->user was freed
but ->destroy() wasn't called yet - so it's still present in the linked
list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Change-Id: I23f34be2a0b97de5ee38a66729888d63f3d60c88
Bug: 29510361

79f327ea

History

79f327ea 8 years ago

History

Name	Last commit	Last update