* [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-18 18:33 ` Eric Biggers
0 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-18 18:33 UTC (permalink / raw)
To: linux-security-module
From: Eric Biggers <ebiggers@google.com>
In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'. Currently
this can only happen if alloc_key() fails to to allocate memory. But it
still should be fixed, as it is a more severe bug waiting to happen.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
security/keys/request_key_auth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index afe9d22ab361..f2f29f13ecff 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -227,6 +227,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
key_revoke(authkey);
key_put(authkey);
error_alloc:
+ put_cred(rka->cred);
key_put(rka->target_key);
key_put(rka->dest_keyring);
kfree(rka->callout_info);
--
2.14.1.690.gbb1197296e-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-18 18:33 ` Eric Biggers
0 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-18 18:33 UTC (permalink / raw)
To: keyrings
Cc: David Howells, Michael Halcrow, linux-security-module,
linux-kernel, Eric Biggers
From: Eric Biggers <ebiggers@google.com>
In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'. Currently
this can only happen if alloc_key() fails to to allocate memory. But it
still should be fixed, as it is a more severe bug waiting to happen.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
security/keys/request_key_auth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index afe9d22ab361..f2f29f13ecff 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -227,6 +227,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
key_revoke(authkey);
key_put(authkey);
error_alloc:
+ put_cred(rka->cred);
key_put(rka->target_key);
key_put(rka->dest_keyring);
kfree(rka->callout_info);
--
2.14.1.690.gbb1197296e-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-18 18:33 ` Eric Biggers
0 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-18 18:33 UTC (permalink / raw)
To: linux-security-module
From: Eric Biggers <ebiggers@google.com>
In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'. Currently
this can only happen if alloc_key() fails to to allocate memory. But it
still should be fixed, as it is a more severe bug waiting to happen.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
security/keys/request_key_auth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index afe9d22ab361..f2f29f13ecff 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -227,6 +227,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
key_revoke(authkey);
key_put(authkey);
error_alloc:
+ put_cred(rka->cred);
key_put(rka->target_key);
key_put(rka->dest_keyring);
kfree(rka->callout_info);
--
2.14.1.690.gbb1197296e-goog
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
2017-09-18 18:33 ` Eric Biggers
(?)
@ 2017-09-19 15:46 ` David Howells
-1 siblings, 0 replies; 9+ messages in thread
From: David Howells @ 2017-09-19 15:46 UTC (permalink / raw)
To: linux-security-module
Eric Biggers <ebiggers3@gmail.com> wrote:
> In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> were to fail, we would leak a reference to the 'struct cred'. Currently
> this can only happen if alloc_key() fails to to allocate memory. But it
> still should be fixed, as it is a more severe bug waiting to happen.
It might be better to combine request_key_auth_destroy() and the error path
that you're altering in request_key_auth_new() by pulling it into a separate
function.
David
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-19 15:46 ` David Howells
0 siblings, 0 replies; 9+ messages in thread
From: David Howells @ 2017-09-19 15:46 UTC (permalink / raw)
To: Eric Biggers
Cc: dhowells, keyrings, Michael Halcrow, linux-security-module,
linux-kernel, Eric Biggers
Eric Biggers <ebiggers3@gmail.com> wrote:
> In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> were to fail, we would leak a reference to the 'struct cred'. Currently
> this can only happen if alloc_key() fails to to allocate memory. But it
> still should be fixed, as it is a more severe bug waiting to happen.
It might be better to combine request_key_auth_destroy() and the error path
that you're altering in request_key_auth_new() by pulling it into a separate
function.
David
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-19 15:46 ` David Howells
0 siblings, 0 replies; 9+ messages in thread
From: David Howells @ 2017-09-19 15:46 UTC (permalink / raw)
To: linux-security-module
Eric Biggers <ebiggers3@gmail.com> wrote:
> In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> were to fail, we would leak a reference to the 'struct cred'. Currently
> this can only happen if alloc_key() fails to to allocate memory. But it
> still should be fixed, as it is a more severe bug waiting to happen.
It might be better to combine request_key_auth_destroy() and the error path
that you're altering in request_key_auth_new() by pulling it into a separate
function.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
2017-09-19 15:46 ` David Howells
(?)
@ 2017-09-21 20:37 ` Eric Biggers
-1 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-21 20:37 UTC (permalink / raw)
To: linux-security-module
On Tue, Sep 19, 2017 at 04:46:08PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
>
> > In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> > were to fail, we would leak a reference to the 'struct cred'. Currently
> > this can only happen if alloc_key() fails to to allocate memory. But it
> > still should be fixed, as it is a more severe bug waiting to happen.
>
> It might be better to combine request_key_auth_destroy() and the error path
> that you're altering in request_key_auth_new() by pulling it into a separate
> function.
>
> David
Agreed, I'll do that.
Eric
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-21 20:37 ` Eric Biggers
0 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-21 20:37 UTC (permalink / raw)
To: David Howells
Cc: keyrings, Michael Halcrow, linux-security-module, linux-kernel,
Eric Biggers
On Tue, Sep 19, 2017 at 04:46:08PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
>
> > In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> > were to fail, we would leak a reference to the 'struct cred'. Currently
> > this can only happen if alloc_key() fails to to allocate memory. But it
> > still should be fixed, as it is a more severe bug waiting to happen.
>
> It might be better to combine request_key_auth_destroy() and the error path
> that you're altering in request_key_auth_new() by pulling it into a separate
> function.
>
> David
Agreed, I'll do that.
Eric
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
@ 2017-09-21 20:37 ` Eric Biggers
0 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2017-09-21 20:37 UTC (permalink / raw)
To: linux-security-module
On Tue, Sep 19, 2017 at 04:46:08PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
>
> > In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> > were to fail, we would leak a reference to the 'struct cred'. Currently
> > this can only happen if alloc_key() fails to to allocate memory. But it
> > still should be fixed, as it is a more severe bug waiting to happen.
>
> It might be better to combine request_key_auth_destroy() and the error path
> that you're altering in request_key_auth_new() by pulling it into a separate
> function.
>
> David
Agreed, I'll do that.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-09-21 20:37 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-18 18:33 [PATCH] KEYS: fix cred refcount leak in request_key_auth_new() Eric Biggers
2017-09-18 18:33 ` Eric Biggers
2017-09-18 18:33 ` Eric Biggers
2017-09-19 15:46 ` David Howells
2017-09-19 15:46 ` David Howells
2017-09-19 15:46 ` David Howells
2017-09-21 20:37 ` Eric Biggers
2017-09-21 20:37 ` Eric Biggers
2017-09-21 20:37 ` Eric Biggers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.