summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-09-18 21:37:39 +0300
committerDavid Howells <dhowells@redhat.com>2017-09-25 17:19:57 +0300
commit8f674565d405a8c0b36ee531849df87f43e72ed5 (patch)
tree70918506b36dfac48aaab5800f09c3581ffc4581 /security
parent37863c43b2c6464f252862bf2e9768264e961678 (diff)
downloadlinux-8f674565d405a8c0b36ee531849df87f43e72ed5.tar.xz
KEYS: reset parent each time before searching key_user_tree
In key_user_lookup(), if there is no key_user for the given uid, we drop key_user_lock, allocate a new key_user, and search the tree again. But we failed to set 'parent' to NULL at the beginning of the second search. If the tree were to be empty for the second search, the insertion would be done with an invalid 'parent', scribbling over freed memory. Fortunately this can't actually happen currently because the tree always contains at least the root_key_user. But it still should be fixed to make the code more robust. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/key.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index e5c0896c3a8f..eb914a838840 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -54,10 +54,10 @@ void __key_check(const struct key *key)
struct key_user *key_user_lookup(kuid_t uid)
{
struct key_user *candidate = NULL, *user;
- struct rb_node *parent = NULL;
- struct rb_node **p;
+ struct rb_node *parent, **p;
try_again:
+ parent = NULL;
p = &key_user_tree.rb_node;
spin_lock(&key_user_lock);