From patchwork Tue Sep 26 20:11:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9972667 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EB331602BD for ; Tue, 26 Sep 2017 20:15:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEC8F28BD9 for ; Tue, 26 Sep 2017 20:15:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3AE828F99; Tue, 26 Sep 2017 20:15:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8E4FF28BD9 for ; Tue, 26 Sep 2017 20:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S970356AbdIZUOj (ORCPT ); Tue, 26 Sep 2017 16:14:39 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:35962 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968704AbdIZUOb (ORCPT ); Tue, 26 Sep 2017 16:14:31 -0400 Received: by mail-pf0-f194.google.com with SMTP id f84so5417439pfj.3; Tue, 26 Sep 2017 13:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=8bs36DUVqS0iTlm5jS2Wvi6E9M9mVLX05D3S21/0jQA=; b=RvKzXE+22KQN61BuNFVjkkRTkQYDR80as5UYeaENGXcJHlPxOPfakUBH/LRivONA2z 2aKs9f6IHKIYeAY1nVMbs0AAPztcerYywlks/JFn1kO+FYWJeGQ2sgq3W/4X49KMdVHb 4Zv6c//gF+nqaKTLhjjvxhpyYK6j5rYxdPXsrL9U277GZB6M2OU4afVAljJOfRDJOhJ4 88XV2Ajo46TiOUwUGuUIsFe11tDNHJwvhAnr+QML5AV0sD6xV9QYHzhB3/417wcIXabh 6yprC5OExSPbxLccNUoYx1NKYbAVomWaIXIOKmM03ypz+y/wockYJWJb5pU9EaEcuRhX Bmrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=8bs36DUVqS0iTlm5jS2Wvi6E9M9mVLX05D3S21/0jQA=; b=ozw1Giekm1ltT/1yRwCmQSiS/6ntaY8Fs/fmOjSiLhW7afBNCsggmU3oaiC7tJ28zi fikiQHSHJXNWeEGurDOOjGZKaqfA+sjxA6ef6/ae8d0gMb9JFS0TvjwDekzCZ2MKB/S3 R0tvFC+tOTrfvH1egCFxs87C8zTC1zPFcxDCL9Q8cFqlEg8oWg/ddrsTeHdLdVuzcbdI bm0SYaAiPSH+bewsJbOX5cZKcYNT9NgT+KUSy5LcsZZehbxkDYMCfe2jpC2ZTJs9GE52 Q0BGrgv49NP+t/ZOh5ZqLjNB2P+vxLKORcBsyQkuRIV0iwMo2e4LBglQlKODHBgJcgvF pn6g== X-Gm-Message-State: AHPjjUgVDjqrL86vateWInkH4zGAv1mB86VeeXej0eodKKIGXmqmTg58 mBbu9LSqGdyGxIlcsnWFcFdDinbV X-Google-Smtp-Source: AOwi7QAQFW+ApDaLovloAPi6NnySjG92eCUOZsUtGeOuMNst7V1gvxR/OIlfBjYohIPgtqRAYNP1vw== X-Received: by 10.84.216.73 with SMTP id f9mr12044576plj.169.1506456870488; Tue, 26 Sep 2017 13:14:30 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id g68sm16597640pfc.64.2017.09.26.13.14.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Sep 2017 13:14:30 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH v2 3/6] KEYS: load key flags and expiry time atomically in key_validate() Date: Tue, 26 Sep 2017 13:11:02 -0700 Message-Id: <20170926201105.126166-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.992.g2c7b836f3a-goog In-Reply-To: <20170926201105.126166-1-ebiggers3@gmail.com> References: <20170926201105.126166-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers In key_validate(), load the flags and expiry time once atomically, since these can change concurrently if key_validate() is called without the key semaphore held. And we don't want to get inconsistent results if a variable is referenced multiple times. For example, key->expiry was referenced in both 'if (key->expiry)' and in 'if (now.tv_sec >= key->expiry)', making it theoretically possible to see a spurious EKEYEXPIRED while the expiration time was being removed, i.e. set to 0. Signed-off-by: Eric Biggers --- security/keys/permission.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/keys/permission.c b/security/keys/permission.c index 732cc0beffdf..a72b4dd70c8a 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c @@ -88,7 +88,8 @@ EXPORT_SYMBOL(key_task_permission); */ int key_validate(const struct key *key) { - unsigned long flags = key->flags; + unsigned long flags = READ_ONCE(key->flags); + time_t expiry = READ_ONCE(key->expiry); if (flags & (1 << KEY_FLAG_INVALIDATED)) return -ENOKEY; @@ -99,9 +100,9 @@ int key_validate(const struct key *key) return -EKEYREVOKED; /* check it hasn't expired */ - if (key->expiry) { + if (expiry) { struct timespec now = current_kernel_time(); - if (now.tv_sec >= key->expiry) + if (now.tv_sec >= expiry) return -EKEYEXPIRED; }