From patchwork Mon Sep 18 18:36:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9957369 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DFFC460385 for ; Mon, 18 Sep 2017 18:36:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D377928D36 for ; Mon, 18 Sep 2017 18:36:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C683B28D3B; Mon, 18 Sep 2017 18:36:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6CC0328D36 for ; Mon, 18 Sep 2017 18:36:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755402AbdIRSgZ (ORCPT ); Mon, 18 Sep 2017 14:36:25 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:34834 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754019AbdIRSgY (ORCPT ); Mon, 18 Sep 2017 14:36:24 -0400 Received: by mail-pf0-f193.google.com with SMTP id i23so514545pfi.2; Mon, 18 Sep 2017 11:36:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=zMh+Yr2MY1r6kmYv2RlF4kS/nGea45Bfp6KfGF2rULM=; b=dEv74lLopGNcgGi8KcHixXqHOSln5YfpEwvvNj0og5NY6c2BiZiSjM1Y0NUQ6haSoa LjFccC7p4g5BZc2pU9jyLRUjbDM9j5qX+eFl3dWZjKwspNQjKDmrK6Jzw+iZrwtwx/0G IcQ4ivE5e9RXw0P86f1pEtWGZwDAioUquDwliuDoM3VQtRjenzhokjoXJYxbJ3dO3qrf yWDcDsE+LpYLyNmdo3LDN9TFojclrla/mXg5DIR8FkZN+GstjOHe6zAi/gJAEJ0XDq7F gld/VlQ+pNcfnsLy4Mii2xTVrKC6Gt97bxsNixzrZQeK3t3+upEepXuItJFmElvwZAYU 0trA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zMh+Yr2MY1r6kmYv2RlF4kS/nGea45Bfp6KfGF2rULM=; b=SiX97HraDxEj6fNxZbsE8DU8Xb9O1p/tBU7aVOkO5oHcZuYBjhYT7VatsJpVYWivWg PntFCvzd93vlBUh0TKW1BDUhisNXJEQ2TRCbHKLJyWXnALdp6kM7JUzGp4y7jGxm2q1h cf/SshPbmd+DZOMYJ8bPKUYANdGO63BaboH6T9in8nKXRoNkmCWp6U7zLhgX97MuhxGG RShzL8YpZ+DM5x2Wh8Q1K34pZZXI7BAdwBHrTBoACI8fIMU0oDDWPWYzgEnxOCcqP/Qz /dw5R6YNhp0X6hQcv0O7iR6vts/LbF7L/+Jglmgxt5RNfSHuBFTSL/uqQPOWJsv2KE+K zYSw== X-Gm-Message-State: AHPjjUi+6AEcN6G1kawuZt6+UwvSo2Q3hHguHfGx/wr2WkFDgME8mck0 gFL+P1crtX7I256Crp4= X-Google-Smtp-Source: ADKCNb7ikOdiJietErJjzAxP6HWHFfJWaXgPuay0uSfgT3YzxdM66FbD9x5ZSSX43gt7pd/xi5gRnQ== X-Received: by 10.99.154.81 with SMTP id e17mr32743553pgo.89.1505759783719; Mon, 18 Sep 2017 11:36:23 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id u192sm169471pgc.18.2017.09.18.11.36.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Sep 2017 11:36:23 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH] KEYS: fix key refcount leak in keyctl_assume_authority() Date: Mon, 18 Sep 2017 11:36:12 -0700 Message-Id: <20170918183612.113941-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers In keyctl_assume_authority(), if keyctl_change_reqkey_auth() were to fail, we would leak the reference to the 'authkey'. Currently this can only happen if prepare_creds() fails to allocate memory. But it still should be fixed, as it is a more severe bug waiting to happen. This patch also moves the read of 'authkey->serial' to before the reference to the authkey is dropped. Doing the read after dropping the reference is very fragile because it assumes we still hold another reference to the key. (Which we do, in current->cred->request_key_auth, but there's no reason not to write it in the "obviously correct" way.) Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Signed-off-by: Eric Biggers --- security/keys/keyctl.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 6a82090c7fc1..552e4460683b 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1411,11 +1411,9 @@ long keyctl_assume_authority(key_serial_t id) } ret = keyctl_change_reqkey_auth(authkey); - if (ret < 0) - goto error; + if (ret == 0) + ret = authkey->serial; key_put(authkey); - - ret = authkey->serial; error: return ret; }