From: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@linux-nfs.org, security@kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1][BUG][IMPORTANT] KEYRINGS: find_keyring_by_name() can gain the freed keyring
Date: Fri, 23 Apr 2010 19:45:47 +0900 [thread overview]
Message-ID: <20100423194547.3135efb8.toshi.okajima@jp.fujitsu.com> (raw)
In-Reply-To: <7894.1271931370@redhat.com>
Hi.
Thanks for your comments.
David Howells wrote:
> Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com> wrote:
>
>> With linux-2.6.34-rc5, find_keyring_by_name() can gain the keyring which has
>> been already freed. And then, its space (which is gained by
>> find_keyring_by_name()) is broken by accessing the freed keyring as the
>> available keyring.
>
> Good catch!
>
> I'm not sure this is the best solution, though.
This means that the keyring of which the count became 0 should not usually
be used again?
If yes, I think so, too.
>
> The alternative is just to ignore keys that have a zero usage count.
OK. I applied your suggestion and I remade the patch.
Then I confirmed that the system with new fix could continue to work while
I was executing my reproducer and your reproducer.
[your reproducer]
> for ((i=0; i<100000; i++)); do keyctl session wibble /bin/true || break; done
So, I think my new patch is also fixed.
Please check it.(new patch is attached into the following mail.)
Thanks,
Toshiyuki Okajima
next prev parent reply other threads:[~2010-04-23 10:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 7:37 [PATCH 1/1][BUG][IMPORTANT] KEYRINGS: find_keyring_by_name() can gain the freed keyring Toshiyuki Okajima
2010-04-22 10:16 ` David Howells
2010-04-23 10:45 ` Toshiyuki Okajima [this message]
2010-04-23 10:51 ` [PATCH 1/1][BUG][TAKE2] " Toshiyuki Okajima
2010-04-23 11:33 ` David Howells
2010-04-23 15:23 ` Toshiyuki Okajima
2010-04-23 15:52 ` David Howells
2010-04-24 0:32 ` 岡嶋 寿行
2010-04-26 14:22 ` Toshiyuki Okajima
2010-04-26 14:47 ` David Howells
2010-04-26 10:57 ` David Howells
2010-04-26 14:42 ` Toshiyuki Okajima
2010-04-29 11:23 ` Toshiyuki Okajima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100423194547.3135efb8.toshi.okajima@jp.fujitsu.com \
--to=toshi.okajima@jp.fujitsu.com \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).