Created
July 27, 2015 14:22
-
-
Save invisiblek/d90c1058b0bf848f5309 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From: Colin Ian King <[email protected]> | |
| Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid | |
| __key_link_end is not freeing the associated array edit structure | |
| and this leads to a 512 byte memory leak each time an identical | |
| existing key is added with add_key(). | |
| The reason the add_key() system call returns okay is that | |
| key_create_or_update() calls __key_link_begin() before checking to see | |
| whether it can update a key directly rather than adding/replacing - which | |
| it turns out it can. Thus __key_link() is not called through | |
| __key_instantiate_and_link() and __key_link_end() must cancel the edit. | |
| CVE-2015-1333 | |
| Signed-off-by: Colin Ian King <[email protected]> | |
| Signed-off-by: David Howells <[email protected]> | |
| --- | |
| diff --git a/security/keys/keyring.c b/security/keys/keyring.c | |
| index e72548b5897e..d33437007ad2 100644 | |
| --- a/security/keys/keyring.c | |
| +++ b/security/keys/keyring.c | |
| @@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring, | |
| if (index_key->type == &key_type_keyring) | |
| up_write(&keyring_serialise_link_sem); | |
| - if (edit && !edit->dead_leaf) { | |
| - key_payload_reserve(keyring, | |
| - keyring->datalen - KEYQUOTA_LINK_BYTES); | |
| + if (edit) { | |
| + if (!edit->dead_leaf) { | |
| + key_payload_reserve(keyring, | |
| + keyring->datalen - KEYQUOTA_LINK_BYTES); | |
| + } | |
| assoc_array_cancel_edit(edit); | |
| } | |
| up_write(&keyring->sem); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment