archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-14 09:06:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/include
History
David Howells 75845c6c1a keys: Fix UAF in key_put() 
Once a key's reference count has been reduced to 0, the garbage collector
thread may destroy it at any time and so key_put() is not allowed to touch
the key after that point.  The most key_put() is normally allowed to do is
to touch key_gc_work as that's a static global variable.

However, in an effort to speed up the reclamation of quota, this is now
done in key_put() once the key's usage is reduced to 0 - but now the code
is looking at the key after the deadline, which is forbidden.

Fix this by using a flag to indicate that a key can be gc'd now rather than
looking at the key's refcount in the garbage collector.

Fixes: 9578e327b2 ("keys: update key quotas in key_put()")
Reported-by: syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/673b6aec.050a0220.87769.004a.GAE@google.com/
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: syzbot+6105ffc1ded71d194d6d@syzkaller.appspotmail.com
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2025-03-22 15:36:49 +02:00
..
acpi LoongArch changes for v6.14 2025-01-28 08:52:01 -08:00
asm-generic arm64 fixes for -rc5 2025-03-01 13:44:51 -08:00
clocksource KVM/arm64 updates for 6.14 2025-01-28 09:01:36 -08:00
crypto
cxl
drm drm: Fix DSC BPP increment decoding 2025-02-13 10:20:30 +02:00
dt-bindings dt-bindings: clock: qcom: Add CAMCC clocks for QCS8300 2025-02-02 20:59:04 -06:00
hyperv
keys keys: drop shadowing dead prototype 2025-01-21 11:25:23 +02:00
kunit linux_kselftest-kunit-6.14-rc1 2025-01-22 12:32:39 -08:00
kvm Merge branch kvm-arm64/pkvm-memshare-declutter into kvmarm-master/next 2025-01-17 11:05:18 +00:00
linux keys: Fix UAF in key_put() 2025-03-22 15:36:49 +02:00
math-emu
media
memory
misc
net bluetooth pull request for net: 2025-03-19 19:44:05 +01:00
pcmcia
ras
rdma
rv rv: Reset per-task monitors also for idle tasks 2025-01-23 12:16:04 -05:00
scsi Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
soc soc: driver updates for 6.14 2025-01-24 14:56:59 -08:00
sound ASoC: ops: Consistently treat platform_max as control value 2025-03-05 17:25:25 +00:00
target
trace Including fixes from bluetooth. We didn't get netfilter or wireless PRs 2025-02-27 09:32:42 -08:00
uapi Landlock fix for v6.14-rc5 2025-02-26 11:55:44 -08:00
ufs scsi: ufs: core: Fix use-after free in init error and remove paths 2025-02-03 17:20:01 -05:00
vdso vdso: Correct typo in PAGE_SHIFT comment 2025-01-15 11:07:08 +01:00
video
xen