Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 0006c9daa71f864d79f38c624c8d9bdba1eb9715
commit0006c9daa71f864d79f38c624c8d9bdba1eb9715[log] [tgz]
authorJeron Susan <jeron.susan@hi-p.com>Wed Aug 24 13:46:29 2016 +0800
committerJeron Susan <jeron.susan@hi-p.com>Wed Aug 24 13:48:06 2016 +0800
tree9f27a908405aa6c8cdbb559277d66e9b062d7e5f
parent1b2bce6f5944e83921fcf7e381fb5cb8d8d31637 [diff]
FPII-2316: Elevation of privilege vulnerability in kernel security subsystem CVE-2014-9529 A-29510361

When a key is being garbage collected, it's key->user would get put before the ->destroy() callback is called, where the key is removed from it's respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open for a different task to try an access key->user.
An example is find_keyring_by_name() which would dereference key->user for a key that is in the process of being garbage collected (where key->user was freed but ->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.

Change-Id: I1c61e596acd093d5f3d3a76c58dbae9d6019867d
1 file changed
tree: 9f27a908405aa6c8cdbb559277d66e9b062d7e5f
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS