Thread (4 messages) 4 messages, 3 authors, 2020-03-06

Re: [PATCH] KEYS: Don't write out to userspace while holding key semaphore

From: Eric Biggers <ebiggers@kernel.org>
Date: 2020-03-05 21:17:24
Also in: keyrings, linux-integrity, lkml

On Thu, Mar 05, 2020 at 04:06:40PM -0500, Waiman Long wrote:
quoted hunk ↗ jump to hunk
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 9b898c969558..564a4d187329 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -846,14 +846,36 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 can_read_key:
 	ret = -EOPNOTSUPP;
 	if (key->type->read) {
-		/* Read the data with the semaphore held (since we might sleep)
+		/*
+		 * Read the data with the semaphore held (since we might sleep)
 		 * to protect against the key being updated or revoked.
+		 *
+		 * Allocating a temporary buffer to hold the keys before
+		 * transferring them to user buffer to avoid potential
+		 * deadlock involving page fault and mmap_sem.
 		 */
+		char *tmpbuf = kmalloc(buflen, GFP_KERNEL);
This is passing an arbitrarily large size from userspace into kmalloc().

- Eric
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help