KEYS: fix cred refcount leak in request_key_auth_new()

Message ID	20170918183331.113261-1-ebiggers3@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Eric Biggers <ebiggers3@gmail.com> To: keyrings@vger.kernel.org Cc: David Howells <dhowells@redhat.com>, Michael Halcrow <mhalcrow@google.com>, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@google.com> Subject: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new() Date: Mon, 18 Sep 2017 11:33:31 -0700 Message-Id: <20170918183331.113261-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

20170918183331.113261-1-ebiggers3@gmail.com (mailing list archive)

State

New, archived

Headers

From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Michael Halcrow <mhalcrow@google.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@google.com>
Subject: [PATCH] KEYS: fix cred refcount leak in request_key_auth_new()
Date: Mon, 18 Sep 2017 11:33:31 -0700
Message-Id: <20170918183331.113261-1-ebiggers3@gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

Eric Biggers Sept. 18, 2017, 6:33 p.m. UTC

From: Eric Biggers <ebiggers@google.com>

In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'.  Currently
this can only happen if alloc_key() fails to to allocate memory.  But it
still should be fixed, as it is a more severe bug waiting to happen.

Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/request_key_auth.c | 1 +
 1 file changed, 1 insertion(+)

Comments

David Howells Sept. 19, 2017, 3:46 p.m. UTC | #1

Eric Biggers <ebiggers3@gmail.com> wrote:

> In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> were to fail, we would leak a reference to the 'struct cred'.  Currently
> this can only happen if alloc_key() fails to to allocate memory.  But it
> still should be fixed, as it is a more severe bug waiting to happen.

It might be better to combine request_key_auth_destroy() and the error path
that you're altering in request_key_auth_new() by pulling it into a separate
function.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Biggers Sept. 21, 2017, 8:37 p.m. UTC | #2

On Tue, Sep 19, 2017 at 04:46:08PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
> 
> > In request_key_auth_new(), if alloc_key() or key_instantiate_and_link()
> > were to fail, we would leak a reference to the 'struct cred'.  Currently
> > this can only happen if alloc_key() fails to to allocate memory.  But it
> > still should be fixed, as it is a more severe bug waiting to happen.
> 
> It might be better to combine request_key_auth_destroy() and the error path
> that you're altering in request_key_auth_new() by pulling it into a separate
> function.
> 
> David

Agreed, I'll do that.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index afe9d22ab361..f2f29f13ecff 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -227,6 +227,7 @@  struct key *request_key_auth_new(struct key *target, const void *callout_info,
 	key_revoke(authkey);
 	key_put(authkey);
 error_alloc:
+	put_cred(rka->cred);
 	key_put(rka->target_key);
 	key_put(rka->dest_keyring);
 	kfree(rka->callout_info);

KEYS: fix cred refcount leak in request_key_auth_new()

Commit Message

Comments

Patch