FPII-2316: Elevation of privilege vulnerability in kernel security subsystem CVE-2014-9529 A-29510361
When a key is being garbage collected, it's key->user would get put before the ->destroy() callback is called, where the key is removed from it's respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open for a different task to try an access key->user.
An example is find_keyring_by_name() which would dereference key->user for a key that is in the process of being garbage collected (where key->user was freed but ->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
Change-Id: I1c61e596acd093d5f3d3a76c58dbae9d6019867d
1 file changed