target/linux/generic/patches-4.4/010-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

   1 From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
   2 From: Yevgeny Pats <yevgeny@perception-point.io>
   3 Date: Mon, 11 Jan 2016 12:05:28 +0000
   4 Subject: KEYS: Fix keyring ref leak in join_session_keyring()
   5
   6 If a thread is asked to join as a session keyring the keyring that's already
   7 set as its session, we leak a keyring reference.
   8
   9 This can be tested with the following program:
  10
  11         #include <stddef.h>
  12         #include <stdio.h>
  13         #include <sys/types.h>
  14         #include <keyutils.h>
  15
  16         int main(int argc, const char *argv[])
  17         {
  18                 int i = 0;
  19                 key_serial_t serial;
  20
  21                 serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
  22                                 "leaked-keyring");
  23                 if (serial < 0) {
  24                         perror("keyctl");
  25                         return -1;
  26                 }
  27
  28                 if (keyctl(KEYCTL_SETPERM, serial,
  29                            KEY_POS_ALL | KEY_USR_ALL) < 0) {
  30                         perror("keyctl");
  31                         return -1;
  32                 }
  33
  34                 for (i = 0; i < 100; i++) {
  35                         serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
  36                                         "leaked-keyring");
  37                         if (serial < 0) {
  38                                 perror("keyctl");
  39                                 return -1;
  40                         }
  41                 }
  42
  43                 return 0;
  44         }
  45
  46 If, after the program has run, there something like the following line in
  47 /proc/keys:
  48
  49 3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
  50
  51 with a usage count of 100 * the number of times the program has been run,
  52 then the kernel is malfunctioning.  If leaked-keyring has zero usages or
  53 has been garbage collected, then the problem is fixed.
  54
  55 Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
  56 Signed-off-by: David Howells <dhowells@redhat.com>
  57 ---
  58  security/keys/process_keys.c | 1 +
  59  1 file changed, 1 insertion(+)
  60
  61 diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
  62 index a3f85d2..e6d50172 100644
  63 --- a/security/keys/process_keys.c
  64 +++ b/security/keys/process_keys.c
  65 @@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
  66                 ret = PTR_ERR(keyring);
  67                 goto error2;
  68         } else if (keyring == new->session_keyring) {
  69 +               key_put(keyring);
  70                 ret = 0;
  71                 goto error2;
  72         }
  73 --
  74 2.7.0.rc3
  75