diff options
author | David Howells <dhowells@redhat.com> | 2016-04-12 19:54:58 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2016-04-12 19:54:58 +0100 |
commit | 898de7d0f298e53568891f0ec3547b14fe8bb5d5 (patch) | |
tree | 90fb64dc5d8158417b7de658d8b0016d54264056 | |
parent | 93da17b18539cb021f1075f8620ee8f6da9b42aa (diff) | |
download | linux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.tar.gz linux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.tar.bz2 linux-898de7d0f298e53568891f0ec3547b14fe8bb5d5.zip |
KEYS: user_update should use copy of payload made during preparsing
The payload preparsing routine for user keys makes a copy of the payload
provided by the caller and stashes it in the key_preparsed_payload struct for
->instantiate() or ->update() to use. However, ->update() takes another copy
of this to attach to the keyring. ->update() should be using this directly
and clearing the pointer in the preparse data.
Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r-- | security/keys/user_defined.c | 42 |
1 files changed, 11 insertions, 31 deletions
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 8705d79b2c6f..66b1840b4110 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -96,45 +96,25 @@ EXPORT_SYMBOL_GPL(user_free_preparse); */ int user_update(struct key *key, struct key_preparsed_payload *prep) { - struct user_key_payload *upayload, *zap; - size_t datalen = prep->datalen; + struct user_key_payload *zap = NULL; int ret; - ret = -EINVAL; - if (datalen <= 0 || datalen > 32767 || !prep->data) - goto error; - - /* construct a replacement payload */ - ret = -ENOMEM; - upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL); - if (!upayload) - goto error; - - upayload->datalen = datalen; - memcpy(upayload->data, prep->data, datalen); - /* check the quota and attach the new data */ - zap = upayload; - - ret = key_payload_reserve(key, datalen); - - if (ret == 0) { - /* attach the new data, displacing the old */ - if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) - zap = key->payload.data[0]; - else - zap = NULL; - rcu_assign_keypointer(key, upayload); - key->expiry = 0; - } + ret = key_payload_reserve(key, prep->datalen); + if (ret < 0) + return ret; + + /* attach the new data, displacing the old */ + key->expiry = prep->expiry; + if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) + zap = rcu_dereference_key(key); + rcu_assign_keypointer(key, prep->payload.data[0]); + prep->payload.data[0] = NULL; if (zap) kfree_rcu(zap, rcu); - -error: return ret; } - EXPORT_SYMBOL_GPL(user_update); /* |