linux/security
Sasha Levin a3a8784454 KEYS: close race between key lookup and freeing
When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2015-01-05 15:58:01 +00:00
..
apparmor module: rename KERNEL_PARAM_FL_NOARG to avoid confusion 2014-08-27 21:54:07 +09:30
integrity Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into for-linus 2014-12-16 12:49:10 +11:00
keys KEYS: close race between key lookup and freeing 2015-01-05 15:58:01 +00:00
selinux Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2014-12-14 20:36:37 -08:00
smack Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2014-12-14 20:36:37 -08:00
tomoyo tomoyo: Fix pathname calculation breakage. 2014-08-26 21:52:09 -05:00
yama
capability.c security: make security_file_set_fowner, f_setown and __f_setown void return 2014-09-09 16:01:36 -04:00
commoncap.c kill f_dentry uses 2014-11-19 13:01:25 -05:00
device_cgroup.c cgroup: rename cgroup_subsys->base_cftypes to ->legacy_cftypes 2014-07-15 11:05:09 -04:00
inode.c Documentation: Docbook: Fix generated DocBook/kernel-api.xml 2014-09-09 10:34:56 +02:00
Kconfig
lsm_audit.c
Makefile
min_addr.c
security.c security: make security_file_set_fowner, f_setown and __f_setown void return 2014-09-09 16:01:36 -04:00