summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-09-18 20:37:39 +0200
committerDavid Howells <dhowells@redhat.com>2017-09-25 16:19:57 +0200
commit8f674565d405a8c0b36ee531849df87f43e72ed5 (patch)
tree70918506b36dfac48aaab5800f09c3581ffc4581 /security
parentKEYS: prevent KEYCTL_READ on negative key (diff)
downloadlinux-8f674565d405a8c0b36ee531849df87f43e72ed5.tar.xz
linux-8f674565d405a8c0b36ee531849df87f43e72ed5.zip
KEYS: reset parent each time before searching key_user_tree
In key_user_lookup(), if there is no key_user for the given uid, we drop key_user_lock, allocate a new key_user, and search the tree again. But we failed to set 'parent' to NULL at the beginning of the second search. If the tree were to be empty for the second search, the insertion would be done with an invalid 'parent', scribbling over freed memory. Fortunately this can't actually happen currently because the tree always contains at least the root_key_user. But it still should be fixed to make the code more robust. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/key.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index e5c0896c3a8f..eb914a838840 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -54,10 +54,10 @@ void __key_check(const struct key *key)
struct key_user *key_user_lookup(kuid_t uid)
{
struct key_user *candidate = NULL, *user;
- struct rb_node *parent = NULL;
- struct rb_node **p;
+ struct rb_node *parent, **p;
try_again:
+ parent = NULL;
p = &key_user_tree.rb_node;
spin_lock(&key_user_lock);