From patchwork Mon Sep 18 18:37:39 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 9957389
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	21FC860385
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 18 Sep 2017 18:38:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1594028C06
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 18 Sep 2017 18:38:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0A3CE28D3E; Mon, 18 Sep 2017 18:38:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A209528C06
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 18 Sep 2017 18:38:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756830AbdIRSiM (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 18 Sep 2017 14:38:12 -0400
Received: from mail-pf0-f194.google.com ([209.85.192.194]:38079 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752898AbdIRSiL (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 18 Sep 2017 14:38:11 -0400
Received: by mail-pf0-f194.google.com with SMTP id q76so511043pfq.5;
	Mon, 18 Sep 2017 11:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=RLm/QydZsx+dHgqxAudmXHAJNmrJCP05Wzo3phRLyCM=;
	b=tYy7zzbIOFgYKECOBwRcGAhJLvOL2n29CuvDDkSZsdAa6FBLTscGQfSqGvCnYq+cSg
	AYbBzpdN2x352AypfRwvLWMM9UiIusVSryzdJM4p2K5Bn7JHaLYI1Hwinu92HZs/t7tA
	5P9e2rHN/7jbvlw7ApV5BWojOYIQStSV8evUPJGaxmPH1jQdI4aVQW3OVENUh6oKYEwQ
	dUt7xWsh9J4qG2HW9M9WRfm1Ebj4tbC1vsCyhlp9mU7A5JZ8W1BLfArJLAIgeRTngnrI
	tMmarP15JAKZLmgTOqwvn1NxIq0ZDmO/o5f7Pxe5gHFvmY7QcAn6dK97dKEOUS0fpsph
	6i2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=RLm/QydZsx+dHgqxAudmXHAJNmrJCP05Wzo3phRLyCM=;
	b=XH/c0PXx76fIkgt7kFK5UJ5EX8YoAbnOpVROLKOcp6dGl6nOE4UkRoxpYJ0BcYkEKL
	AxNpqhQTzg7LVMu3+5k20SSVVYo5M3zIrQPx369MWiIjqjk5IeGDwZmZR5WsbMjKwDEs
	KDM+gIiuA/P3hbA3QI7SgZgACmtSASa39DCR+P2uN5Yp6aYqN0NbSuE5QxL64hQNbhTm
	4qPQXqZIfzaFAyIy5YwNjoABYEcwlYcKLzL0dKlTB0BLWV984MkFIYDS6JGy6Eq/xgrv
	gA4UaYZzXJY0YtvKbGiBMqz83+oygqKNb+ExPIDm7hOP+vWRU7poLc04nWo7Kk6rRcyH
	Abrg==
X-Gm-Message-State: AHPjjUha62oGrYPpLoBheDlrUa7exk9CRLYnOXurgGcsvB6MltaVBb66
	vhoOpytG1bjZx4HOCr8=
X-Google-Smtp-Source: 
 ADKCNb6R5NkWKnq8UAsUloJU9aAXzrGQvTnR84ZWJcOINF1pcqsIgd28XsZpcWafJ65f6Z4uJ+h8aw==
X-Received: by 10.84.133.69 with SMTP id 63mr23751626plf.98.1505759890597;
	Mon, 18 Sep 2017 11:38:10 -0700 (PDT)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81])
	by smtp.gmail.com with ESMTPSA id
	g68sm97786pfc.64.2017.09.18.11.38.09
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 18 Sep 2017 11:38:10 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Michael Halcrow <mhalcrow@google.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@google.com>
Subject: [PATCH] KEYS: reset parent each time before searching key_user_tree
Date: Mon, 18 Sep 2017 11:37:39 -0700
Message-Id: <20170918183739.114308-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

In key_user_lookup(), if there is no key_user for the given uid, we drop
key_user_lock, allocate a new key_user, and search the tree again.  But
we failed to set 'parent' to NULL at the beginning of the second search.
If the tree were to be empty for the second search, the insertion would
be done with an invalid 'parent', scribbling over freed memory.

Fortunately this can't actually happen currently because the tree always
contains at least the root_key_user.  But it still should be fixed to
make the code more robust.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/key.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/keys/key.c b/security/keys/key.c
index e5c0896c3a8f..eb914a838840 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -54,10 +54,10 @@ void __key_check(const struct key *key)
 struct key_user *key_user_lookup(kuid_t uid)
 {
 	struct key_user *candidate = NULL, *user;
-	struct rb_node *parent = NULL;
-	struct rb_node **p;
+	struct rb_node *parent, **p;
 
 try_again:
+	parent = NULL;
 	p = &key_user_tree.rb_node;
 	spin_lock(&key_user_lock);