| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <30932.1420473588@warthog.procyon.org.uk> Date: Mon, 05 Jan 2015 15:59:48 +0000 From: David Howells <dhowells@...hat.com> To: Sasha Levin <sasha.levin@...cle.com> Cc: dhowells@...hat.com, linux-kernel@...r.kernel.org, James Morris <james.l.morris@...cle.com>, "Serge E. Hallyn" <serge@...lyn.com>, keyrings@...ux-nfs.org (open list:KEYS/KEYRINGS:), linux-security-module@...r.kernel.org (open list:SECURITY SUBSYSTEM) Subject: Re: [PATCH] KEYS: close race between key lookup and freeing Sasha Levin <sasha.levin@...cle.com> wrote: > When a key is being garbage collected, it's key->user would get put before > the ->destroy() callback is called, where the key is removed from it's > respective tracking structures. > > This leaves a key hanging in a semi-invalid state which leaves a window open > for a different task to try an access key->user. An example is > find_keyring_by_name() which would dereference key->user for a key that is > in the process of being garbage collected (where key->user was freed but > ->destroy() wasn't called yet - so it's still present in the linked list). > > This would cause either a panic, or corrupt memory. > > Signed-off-by: Sasha Levin <sasha.levin@...cle.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists