| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241120104212.1462-1-hdanton@sina.com>
Date: Wed, 20 Nov 2024 18:42:12 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+6105ffc1ded71d194d6d@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [keyrings?] [lsm?] KASAN: slab-use-after-free Read in key_put
On Mon, 18 Nov 2024 08:27:24 -0800
> syzbot found the following issue on:
>
> HEAD commit: adc218676eef Linux 6.12
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c672e8580000
#syz test
--- x/security/keys/key.c
+++ y/security/keys/key.c
@@ -645,21 +645,30 @@ EXPORT_SYMBOL(key_reject_and_link);
*/
void key_put(struct key *key)
{
+ int quota_flag;
+ unsigned short len;
+ struct key_user *user;
+
if (key) {
key_check(key);
+ quota_flag = test_bit(KEY_FLAG_IN_QUOTA, &key->flags);
+ len = key->quotalen;
+ user = key->user;
+ refcount_inc(&user->usage);
if (refcount_dec_and_test(&key->usage)) {
unsigned long flags;
/* deal with the user's key tracking and quota */
- if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
- spin_lock_irqsave(&key->user->lock, flags);
- key->user->qnkeys--;
- key->user->qnbytes -= key->quotalen;
- spin_unlock_irqrestore(&key->user->lock, flags);
+ if (quota_flag) {
+ spin_lock_irqsave(&user->lock, flags);
+ user->qnkeys--;
+ user->qnbytes -= len;
+ spin_unlock_irqrestore(&user->lock, flags);
}
schedule_work(&key_gc_work);
}
+ key_user_put(user);
}
}
EXPORT_SYMBOL(key_put);
--
Powered by blists - more mailing lists