github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
8c6dafeba6
linux/security
History
Sasha Levin a7033e302d KEYS: close race between key lookup and freeing 
commit a3a8784454 upstream.

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-01-29 17:40:56 -08:00
..
apparmor
integrity evm: check xattr value length and type in evm_inode_setxattr() 2014-11-14 08:47:54 -08:00
keys KEYS: close race between key lookup and freeing 2015-01-29 17:40:56 -08:00
selinux selinux: fix inode security list corruption 2014-11-14 08:47:55 -08:00
smack
tomoyo
yama
capability.c
commoncap.c CAPABILITIES: remove undefined caps from all processes 2014-09-17 09:03:57 -07:00
device_cgroup.c
inode.c
Kconfig
lsm_audit.c
Makefile
min_addr.c
security.c