summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-12 19:54:58 +0100
committerDavid Howells <dhowells@redhat.com>2016-04-12 19:54:58 +0100
commit898de7d0f298e53568891f0ec3547b14fe8bb5d5 (patch)
tree90fb64dc5d8158417b7de658d8b0016d54264056
parent93da17b18539cb021f1075f8620ee8f6da9b42aa (diff)
downloadlinux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.tar.gz
linux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.tar.bz2
linux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.zip
KEYS: user_update should use copy of payload made during preparsing
The payload preparsing routine for user keys makes a copy of the payload provided by the caller and stashes it in the key_preparsed_payload struct for ->instantiate() or ->update() to use. However, ->update() takes another copy of this to attach to the keyring. ->update() should be using this directly and clearing the pointer in the preparse data. Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r--security/keys/user_defined.c42
1 files changed, 11 insertions, 31 deletions
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 8705d79b2c6f..66b1840b4110 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -96,45 +96,25 @@ EXPORT_SYMBOL_GPL(user_free_preparse);
*/
int user_update(struct key *key, struct key_preparsed_payload *prep)
{
- struct user_key_payload *upayload, *zap;
- size_t datalen = prep->datalen;
+ struct user_key_payload *zap = NULL;
int ret;
- ret = -EINVAL;
- if (datalen <= 0 || datalen > 32767 || !prep->data)
- goto error;
-
- /* construct a replacement payload */
- ret = -ENOMEM;
- upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
- if (!upayload)
- goto error;
-
- upayload->datalen = datalen;
- memcpy(upayload->data, prep->data, datalen);
-
/* check the quota and attach the new data */
- zap = upayload;
-
- ret = key_payload_reserve(key, datalen);
-
- if (ret == 0) {
- /* attach the new data, displacing the old */
- if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
- zap = key->payload.data[0];
- else
- zap = NULL;
- rcu_assign_keypointer(key, upayload);
- key->expiry = 0;
- }
+ ret = key_payload_reserve(key, prep->datalen);
+ if (ret < 0)
+ return ret;
+
+ /* attach the new data, displacing the old */
+ key->expiry = prep->expiry;
+ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ zap = rcu_dereference_key(key);
+ rcu_assign_keypointer(key, prep->payload.data[0]);
+ prep->payload.data[0] = NULL;
if (zap)
kfree_rcu(zap, rcu);
-
-error:
return ret;
}
-
EXPORT_SYMBOL_GPL(user_update);
/*