1. 24 Sep, 2019 5 commits
  2. 11 Sep, 2019 8 commits
  3. 08 Sep, 2019 4 commits
  4. 07 Sep, 2019 4 commits
  5. 06 Sep, 2019 18 commits
  6. 05 Sep, 2019 1 commit
    • Hillf Danton's avatar
      keys: Fix missing null pointer check in request_key_auth_describe() · d41a3eff
      Hillf Danton authored
      If a request_key authentication token key gets revoked, there's a window in
      which request_key_auth_describe() can see it with a NULL payload - but it
      makes no check for this and something like the following oops may occur:
      
      	BUG: Kernel NULL pointer dereference at 0x00000038
      	Faulting instruction address: 0xc0000000004ddf30
      	Oops: Kernel access of bad area, sig: 11 [#1]
      	...
      	NIP [...] request_key_auth_describe+0x90/0xd0
      	LR [...] request_key_auth_describe+0x54/0xd0
      	Call Trace:
      	[...] request_key_auth_describe+0x54/0xd0 (unreliable)
      	[...] proc_keys_show+0x308/0x4c0
      	[...] seq_read+0x3d0/0x540
      	[...] proc_reg_read+0x90/0x110
      	[...] __vfs_read+0x3c/0x70
      	[...] vfs_read+0xb4/0x1b0
      	[...] ksys_read+0x7c/0x130
      	[...] system_call+0x5c/0x70
      
      Fix this by checking for a NULL pointer when describing such a key.
      
      Also make the read routine check for a NULL pointer to be on the safe side.
      
      [DH: Modified to not take already-held rcu lock and modified to also check
       in the read routine]
      
      Fixes: 04c567d9 ("[PATCH] Keys: Fix race between two instantiators of a key")
      Reported-by: default avatarSachin Sant <sachinp@linux.vnet.ibm.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarSachin Sant <sachinp@linux.vnet.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d41a3eff