From patchwork Wed Sep 27 19:50:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9974653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B586560365 for ; Wed, 27 Sep 2017 19:53:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A903C2930B for ; Wed, 27 Sep 2017 19:53:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9DF1D2930D; Wed, 27 Sep 2017 19:53:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3405829316 for ; Wed, 27 Sep 2017 19:53:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751979AbdI0Twm (ORCPT ); Wed, 27 Sep 2017 15:52:42 -0400 Received: from mail-pg0-f65.google.com ([74.125.83.65]:36450 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751868AbdI0TvO (ORCPT ); Wed, 27 Sep 2017 15:51:14 -0400 Received: by mail-pg0-f65.google.com with SMTP id d8so10201250pgt.3; Wed, 27 Sep 2017 12:51:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=U7742BmXaS6EGWONATQ84bMgBKbFK6WVVKhgMUQUXJ0=; b=cw3qCtIwZ2VlV2e+rFIgqSete//xPblmMnhh2yXEHZpgmnPcKUd3WyTV6AzPBJsqup gqwFSfYdB6+wURYeUs4sEnluRDxaOElRx99GVCYntUEKFhMAOjg1yaQ+FjM+sP7AsoLX SJ4h/0JIax+NJUz2z1/FArIohjpeFvNiNmhHcRHOe5t0SwtF/qqI/+Roi3Bu4L0cSjMr 6cSYhy7b7aQVF/9T0e7chFEPGMjp68Pcun5cxg9p6X88OhUFH1euCKYmzAxeOVZ1iDFM t7/Bnprl+h8EoR/t8O9jjea9hfZqFFujRyTPonotyywWzT9b/cOeSSBxi8QoYf+z1Hm8 LPfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=U7742BmXaS6EGWONATQ84bMgBKbFK6WVVKhgMUQUXJ0=; b=mzEv6EWoWulQ9fF32xSulnV6OUgrK3HisfztITG0Po75GylL6z18/WTxhmTYPMEszV PYCofHdzIJ8A/Sx7j9+pZEkyh88VWb/j2O8kIrjU6oGHE3+3hEme26wBFnTL9f5Uoqr4 y0tKIZFJ+meE7aasaPibNbxJLROGW77pdMeg04HOOWHrE3iydNd6kzQaRurus0T6rQG7 IjYY7wGXKjcaQtvesWDcJXfofHVXP+A7RSKzSx4h/DwvjGNZvGmFao6Ssvd9Evc6T8lG XhPkOO2KJIlQen6UDONjkeOaFhZFvO14OmY5s5ev7NfC5Owu38XdZHnlg3RA4vgKD2hI XwSQ== X-Gm-Message-State: AHPjjUgw4Vx8BeX2Tr0jIGaoOU6+ZfRvm9ymSKRIsIk1AU5GFWV6E0ZS iwVh3WjGB0uC/Pi/1fHi5oR6PCIl X-Google-Smtp-Source: AOwi7QDxGqVYnSqrSsFVzHImfypo2Pj5K4pX7/a7fOpuMC/ZAzeaPBlPLxaBuEgAn29zDkl0Aovo/A== X-Received: by 10.159.194.132 with SMTP id y4mr2087544pln.85.1506541873432; Wed, 27 Sep 2017 12:51:13 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id d5sm24954499pfg.26.2017.09.27.12.51.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 27 Sep 2017 12:51:12 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH v3 3/7] KEYS: load key flags atomically in key_is_instantiated() Date: Wed, 27 Sep 2017 12:50:43 -0700 Message-Id: <20170927195047.122358-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.822.g60be5d43e6-goog In-Reply-To: <20170927195047.122358-1-ebiggers3@gmail.com> References: <20170927195047.122358-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers In key_is_instantiated(), we check for KEY_FLAG_INSTANTIATED set and KEY_FLAG_NEGATIVE unset. But this was done as two separate bit tests which were not atomic with respect to each other, and had no memory barrier providing ordering. Therefore, it was theoretically possible for the function to incorrectly return true if called while the key was being negatively instantiated. There also needs to be a memory barrier before anything which is only meaningful for positively instantiated keys, e.g. ->payload and ->datalen, can be read --- which some of the ->describe() methods do. Fix both these problems by loading the flags using smp_load_acquire(). Signed-off-by: Eric Biggers --- include/linux/key.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index b7b590d7c480..551f099f2f6a 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -372,8 +372,11 @@ extern void key_set_timeout(struct key *, unsigned); */ static inline bool key_is_instantiated(const struct key *key) { - return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && - !test_bit(KEY_FLAG_NEGATIVE, &key->flags); + /* Pairs with RELEASE in mark_key_instantiated() */ + unsigned long flags = smp_load_acquire(&key->flags); + + return (flags & (1 << KEY_FLAG_INSTANTIATED)) && + !(flags & (1 << KEY_FLAG_NEGATIVE)); } #define dereference_key_rcu(KEY) \