linux_dsm_epyc7002/security/keys
David Howells f05819df10 KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
The following sequence of commands:

    i=`keyctl add user a a @s`
    keyctl request2 keyring foo bar @t
    keyctl unlink $i @s

tries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set.  However, if the upcall
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
other error code.  When the key is garbage collected, the key destroy
function is called unconditionally and keyring_destroy() uses list_empty()
on keyring->type_data.link - which is in a union with reject_error.
Subsequently, the kernel tries to unlink the keyring from the keyring names
list - which oopses like this:

	BUG: unable to handle kernel paging request at 00000000ffffff8a
	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
	...
	Workqueue: events key_garbage_collector
	...
	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
	...
	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
	...
	Call Trace:
	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
	 [<ffffffff810648ad>] kthread+0xf3/0xfb
	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2

Note the value in RAX.  This is a 32-bit representation of -ENOKEY.

The solution is to only call ->destroy() if the key was successfully
instantiated.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
2015-10-15 17:21:37 +01:00
..
encrypted-keys KEYS: Fix stale key registration at error path 2014-12-06 21:50:36 -05:00
big_key.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00
compat.c switch keyctl_instantiate_key_common() to iov_iter 2015-04-11 22:27:12 -04:00
gc.c KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring 2015-10-15 17:21:37 +01:00
internal.h switch keyctl_instantiate_key_common() to iov_iter 2015-04-11 22:27:12 -04:00
Kconfig KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y 2015-01-22 22:34:32 +00:00
key.c KEYS: remove a bogus NULL check 2014-12-16 18:05:20 +11:00
keyctl.c switch keyctl_instantiate_key_common() to iov_iter 2015-04-11 22:27:12 -04:00
keyring.c KEYS: ensure we free the assoc array edit if edit is valid 2015-07-28 13:08:23 +10:00
Makefile KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
permission.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
persistent.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
proc.c KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y 2015-01-22 22:34:32 +00:00
process_keys.c capabilities: ambient capabilities 2015-09-04 16:54:41 -07:00
request_key_auth.c KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags 2014-12-01 22:52:50 +00:00
request_key.c Don't leak a key reference if request_key() tries to use a revoked keyring 2015-02-16 13:45:16 +11:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00
trusted.h trusted-keys: rename trusted_defined files to trusted 2011-01-24 10:14:22 +11:00
user_defined.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00