• David Howells's avatar
    [PATCH] Keys: Fix race between two instantiators of a key · 04c567d9
    David Howells authored
    Add a revocation notification method to the key type and calls it whilst
    the key's semaphore is still write-locked after setting the revocation
    flag.
    
    The patch then uses this to maintain a reference on the task_struct of the
    process that calls request_key() for as long as the authorisation key
    remains unrevoked.
    
    This fixes a potential race between two processes both of which have
    assumed the authority to instantiate a key (one may have forked the other
    for example).  The problem is that there's no locking around the check for
    revocation of the auth key and the use of the task_struct it points to, nor
    does the auth key keep a reference on the task_struct.
    
    Access to the "context" pointer in the auth key must thenceforth be done
    with the auth key semaphore held.  The revocation method is called with the
    target key semaphore held write-locked and the search of the context
    process's keyrings is done with the auth key semaphore read-locked.
    
    The check for the revocation state of the auth key just prior to searching
    it is done after the auth key is read-locked for the search.  This ensures
    that the auth key can't be revoked between the check and the search.
    
    The revocation notification method is added so that the context task_struct
    can be released as soon as instantiation happens rather than waiting for
    the auth key to be destroyed, thus avoiding the unnecessary pinning of the
    requesting process.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    04c567d9
keys.txt 39.9 KB