KEYS: fix cred refcount leak in request_key_auth_new()
diff mbox

Message ID 20170918183331.113261-1-ebiggers3@gmail.com
State New
Headers show

Commit Message

Eric Biggers Sept. 18, 2017, 6:33 p.m. UTC
From: Eric Biggers <ebiggers@google.com>

In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'.  Currently
this can only happen if alloc_key() fails to to allocate memory.  But it
still should be fixed, as it is a more severe bug waiting to happen.

Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/request_key_auth.c | 1 +
 1 file changed, 1 insertion(+)

Comments

David Howells Sept. 19, 2017, 3:46 p.m. UTC | #1
Eric Biggers <ebiggers3@gmail.com> wrote:

> In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> were to fail, we would leak a reference to the 'struct cred'.  Currently
> this can only happen if alloc_key() fails to to allocate memory.  But it
> still should be fixed, as it is a more severe bug waiting to happen.

It might be better to combine request_key_auth_destroy() and the error path
that you're altering in request_key_auth_new() by pulling it into a separate
function.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Biggers Sept. 21, 2017, 8:37 p.m. UTC | #2
On Tue, Sep 19, 2017 at 04:46:08PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
> 
> > In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> > were to fail, we would leak a reference to the 'struct cred'.  Currently
> > this can only happen if alloc_key() fails to to allocate memory.  But it
> > still should be fixed, as it is a more severe bug waiting to happen.
> 
> It might be better to combine request_key_auth_destroy() and the error path
> that you're altering in request_key_auth_new() by pulling it into a separate
> function.
> 
> David

Agreed, I'll do that.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index afe9d22ab361..f2f29f13ecff 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -227,6 +227,7 @@  struct key *request_key_auth_new(struct key *target, const void *callout_info,
 	key_revoke(authkey);
 	key_put(authkey);
 error_alloc:
+	put_cred(rka->cred);
 	key_put(rka->target_key);
 	key_put(rka->dest_keyring);
 	kfree(rka->callout_info);