[Devel] [PATCH RHEL8 COMMIT] keys, user: Fix NULL-ptr dereference in user_free_preparse() #PSBM-108291
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Sep 25 18:18:28 MSK 2020
The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.8
------>
commit c6c2414920d292dc6e9f877290bbbe4d1aab61aa
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Fri Sep 25 18:16:12 2020 +0300
keys,user: Fix NULL-ptr dereference in user_free_preparse() #PSBM-108291
user_free_preparse() can validly receive "prep" arg with NULL payload
(prep->payload.data[0]) => add a check for that.
key_create_or_update()
{
...
if (index_key.type->preparse) {
ret = index_key.type->preparse(&prep);
// user_preparse(), kvmalloc(), prep->payload.data[0] filled
...
}
...
ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
// it sets prep->payload.data[0] to NULL
...
error_free_prep:
if (index_key.type->preparse)
index_key.type->free_preparse(&prep);
// user_free_preparse(), memset(prep->payload.data[0], ...)
// crash here
...
}
key_create_or_update()
__key_instantiate_and_link()
key->type->instantiate() == generic_key_instantiate()
prep->payload.data[0] = NULL;
Fixes: d77ff0bac744 ("keys, user: Fix high order allocation in user_instantiate()")
https://jira.sw.ru/browse/PSBM-108291
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
security/keys/user_defined.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 54a4e0a48cf2..a1d80d3dad06 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -89,8 +89,10 @@ void user_free_preparse(struct key_preparsed_payload *prep)
{
struct user_key_payload *upayload = prep->payload.data[0];
- memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
- kvfree(upayload);
+ if (upayload) {
+ memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
+ kvfree(upayload);
+ }
}
EXPORT_SYMBOL_GPL(user_free_preparse);
More information about the Devel
mailing list