diff options
author | Eric Biggers <ebiggers@google.com> | 2017-09-18 20:37:39 +0200 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2017-09-25 16:19:57 +0200 |
commit | 8f674565d405a8c0b36ee531849df87f43e72ed5 (patch) | |
tree | 70918506b36dfac48aaab5800f09c3581ffc4581 /security/keys | |
parent | KEYS: prevent KEYCTL_READ on negative key (diff) | |
download | linux-8f674565d405a8c0b36ee531849df87f43e72ed5.tar.xz linux-8f674565d405a8c0b36ee531849df87f43e72ed5.zip |
KEYS: reset parent each time before searching key_user_tree
In key_user_lookup(), if there is no key_user for the given uid, we drop
key_user_lock, allocate a new key_user, and search the tree again. But
we failed to set 'parent' to NULL at the beginning of the second search.
If the tree were to be empty for the second search, the insertion would
be done with an invalid 'parent', scribbling over freed memory.
Fortunately this can't actually happen currently because the tree always
contains at least the root_key_user. But it still should be fixed to
make the code more robust.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security/keys')
-rw-r--r-- | security/keys/key.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index e5c0896c3a8f..eb914a838840 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -54,10 +54,10 @@ void __key_check(const struct key *key) struct key_user *key_user_lookup(kuid_t uid) { struct key_user *candidate = NULL, *user; - struct rb_node *parent = NULL; - struct rb_node **p; + struct rb_node *parent, **p; try_again: + parent = NULL; p = &key_user_tree.rb_node; spin_lock(&key_user_lock); |