From patchwork Tue Sep 26 20:11:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9972675 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A324B602BD for ; Tue, 26 Sep 2017 20:16:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 98B9C28BD9 for ; Tue, 26 Sep 2017 20:16:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8D4CF28F99; Tue, 26 Sep 2017 20:16:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 32F1828BD9 for ; Tue, 26 Sep 2017 20:16:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S970344AbdIZUOe (ORCPT ); Tue, 26 Sep 2017 16:14:34 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:37215 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968670AbdIZUOa (ORCPT ); Tue, 26 Sep 2017 16:14:30 -0400 Received: by mail-pf0-f196.google.com with SMTP id e69so5406318pfg.4; Tue, 26 Sep 2017 13:14:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TKYnWuJgjCU6mXjb4JUB2DV0iH9FnzPo1VQpHrXefRQ=; b=MdTK8WvULOpiBZBA3wkfGZATKKXMvxYwJ6YIgfQOlc3EqeF2johBMe/68t7i1yaOF5 VkOKinUCxrN901tnDLrRL/IrQzay4zU6eIudqPPGiPUuDTZ59NbeAfo7Eh2C0CUFYn9q maweXfapXtR9aqXIMlo9IVrVGqzXWoyUiO+X3+YkhC3zgdLhnEj91e7bGsUmwanIVVBz eb5K+wtoe71rMik1by9joBnMgkhHX7zJLigIQTcEzgW1+kG0T8Irh7IevN3xSqEGKjd9 EfllbJ/8YtUdnesooWIYxZ8gMJ0Dk2Ju0l/Xs7fIgJuD6dOcfYdHoZ/6G1tEjmNYGD2u YrZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TKYnWuJgjCU6mXjb4JUB2DV0iH9FnzPo1VQpHrXefRQ=; b=p+sC7UVaSVb/t8O+0Wnvh9fA8Dzz/5rgGPCkKQXoF/O8R2OI3rtvRvPNVwnNlJCbXG nD9NEeD8PTXgcQ+ps0NH3IwpUmLae5jgMl6uotY14CWVuvW0UE+XAeoNPPBT5+Fqy/P+ Ze93VQ65d6awJxWW71C3t1PNdk7ZJ3yA+JK2/s57Mv+ugWQcFbRK7fP7wiRX0M7Z/Wiu IqY9LobuvOzqMRYN/gARsxrS0qFYhvH1litfiM5Fz716YsGVyFDPQ7BQDyDAxuYFbDpT 8mBjRls8WM9PTyBjQruoxLmOsJLwgDrd7WjCnQ8kSQtVDj/QOMpF0wBS1jFjt2ME5t7W tJEA== X-Gm-Message-State: AHPjjUiwTh9jSs2dzvf2XwulgNFdFYaVPdW8WKux55mhyw3WVJfM3UA6 7VZChgA8FdYuBvJUZxjdcC44rwar X-Google-Smtp-Source: AOwi7QDWL4kPtGvPdBJWKg8M2aPS6f7u1t8jRqi7gyqCbgPh1SdISIORXl5QX3ai0Ug+UDU0enWZXw== X-Received: by 10.84.172.131 with SMTP id n3mr11860953plb.408.1506456869497; Tue, 26 Sep 2017 13:14:29 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id g68sm16597640pfc.64.2017.09.26.13.14.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Sep 2017 13:14:29 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH v2 2/6] KEYS: load key flags atomically in key_is_instantiated() Date: Tue, 26 Sep 2017 13:11:01 -0700 Message-Id: <20170926201105.126166-3-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.992.g2c7b836f3a-goog In-Reply-To: <20170926201105.126166-1-ebiggers3@gmail.com> References: <20170926201105.126166-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers In key_is_instantiated(), we check for KEY_FLAG_INSTANTIATED set and KEY_FLAG_NEGATIVE unset. But this was done as two separate bit tests which were not atomic with respect to each other, and had no memory barrier providing ordering. Therefore, it was theoretically possible for the function to incorrectly return true if called while the key was being negatively instantiated. There also needs to be a memory barrier before anything which is only meaningful for positively instantiated keys, e.g. ->payload and ->datalen, can be read --- which some of the ->describe() methods do. Fix both these problems by loading the flags using smp_load_acquire(). Signed-off-by: Eric Biggers --- include/linux/key.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index b7b590d7c480..fcb79eedbdb5 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -372,8 +372,11 @@ extern void key_set_timeout(struct key *, unsigned); */ static inline bool key_is_instantiated(const struct key *key) { - return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && - !test_bit(KEY_FLAG_NEGATIVE, &key->flags); + /* Pairs with RELEASE in mark_key_instantiated() */ + unsigned long flags = smp_load_acquire(&key->flags); + + return (flags & KEY_FLAG_INSTANTIATED) && + !(flags & KEY_FLAG_NEGATIVE); } #define dereference_key_rcu(KEY) \