Skip to content

Commit

Permalink
keys: Fix request_key() cache
Browse files Browse the repository at this point in the history 
When the key cached by request_key() and co.  is cleaned up on exit(),
the code looks in the wrong task_struct, and so clears the wrong cache.
This leads to anomalies in key refcounting when doing, say, a kernel
build on an afs volume, that then trigger kasan to report a
use-after-free when the key is viewed in /proc/keys.

Fix this by making exit_creds() look in the passed-in task_struct rather
than in current (the task_struct cleanup code is deferred by RCU and
potentially run in another task).

Fixes: 7743c48 ("keys: Cache result of request_key*() temporarily in task_struct")
Signed-off-by: David Howells <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@dhowells @torvalds
dhowells authored and torvalds committed Jan 14, 2020
1 parent 219d543 commit 8379bb8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions kernel/cred.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,8 @@ void exit_creds(struct task_struct *tsk)
put_cred(cred);

#ifdef CONFIG_KEYS_REQUEST_CACHE
key_put(current->cached_requested_key);
current->cached_requested_key = NULL;
key_put(tsk->cached_requested_key);
tsk->cached_requested_key = NULL;
#endif
}

Expand Down

0 comments on commit 8379bb8

Please sign in to comment.