superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/security
History
David Howells 75845c6c1a keys: Fix UAF in key_put() 
Once a key's reference count has been reduced to 0, the garbage collector
thread may destroy it at any time and so key_put() is not allowed to touch
the key after that point.  The most key_put() is normally allowed to do is
to touch key_gc_work as that's a static global variable.

However, in an effort to speed up the reclamation of quota, this is now
done in key_put() once the key's usage is reduced to 0 - but now the code
is looking at the key after the deadline, which is forbidden.

Fix this by using a flag to indicate that a key can be gc'd now rather than
looking at the key's refcount in the garbage collector.

Fixes: 9578e327b2 ("keys: update key quotas in key_put()")
Reported-by: syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/673b6aec.050a0220.87769.004a.GAE@google.com/
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
 		2025-03-22 15:36:49 +02:00
..
apparmor treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
bpf bpf: lsm: Remove hook to bpf_task_storage_free 2024-12-16 12:32:31 -08:00
integrity ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr 2025-02-04 21:36:43 -05:00
ipe ipe: fallback to platform keyring also if key in trusted keyring is rejected 2024-10-18 12:14:53 -07:00
keys keys: Fix UAF in key_put() 2025-03-22 15:36:49 +02:00
landlock landlock: Fix non-TCP sockets restriction 2025-02-14 09:23:09 +01:00
loadpin fdget(), more trivial conversions 2024-11-03 01:28:06 -05:00
lockdown lockdown: initialize local array before use to quiet static analysis 2025-01-05 12:48:43 -05:00
safesetid safesetid: check size of policy writes 2025-01-04 22:46:09 -05:00
selinux \n 2025-01-23 13:36:06 -08:00
smack lsm/stable-6.14 PR 20250121 2025-01-21 20:03:04 -08:00
tomoyo tomoyo: use better patterns for procfs in learning mode 2025-01-31 00:27:44 +09:00
yama treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
Kconfig lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set 2025-01-04 11:50:44 -05:00
Kconfig.hardening hardening: Document INIT_STACK_ALL_PATTERN behavior with GCC 2025-01-08 14:17:33 -08:00
Makefile lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set 2025-01-04 11:50:44 -05:00
commoncap.c capabilities patches for 6.14-rc1 2025-01-23 08:00:16 -08:00
device_cgroup.c
inode.c lsm: Use IS_ERR_OR_NULL() helper function 2024-08-29 11:12:13 -04:00
lsm_audit.c selinux/stable-6.14 PR 20250121 2025-01-21 20:09:14 -08:00
lsm_syscalls.c lsm: use 32-bit compatible data types in LSM syscalls 2024-03-14 11:31:26 -04:00
min_addr.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
security.c AT_EXECVE_CHECK introduction for v6.14-rc1 2025-01-22 20:34:42 -08:00