[rh7] keys, user: fix NULL-ptr dereference in user_destroy() #PSBM-108198

Submitted by Andrey Ryabinin on Sept. 23, 2020, 11:42 a.m.

Details

Message ID 20200923114252.3098-1-aryabinin@virtuozzo.com
State New
Series "keys, user: fix NULL-ptr dereference in user_destroy() #PSBM-108198"
Headers show

Commit Message

Andrey Ryabinin Sept. 23, 2020, 11:42 a.m.
key->payload.data could be NULL

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: user_destroy+0x13/0x30

Call Trace:
  key_gc_unused_keys.constprop.1+0xfd/0x110
  key_garbage_collector+0x1d7/0x390
  process_one_work+0x185/0x440
  worker_thread+0x126/0x3c0
  kthread+0xd1/0xe0
  ret_from_fork_nospec_begin+0x7/0x21

Add the necessary check to fix this.

https://jira.sw.ru/browse/PSBM-108198
Fixes: 499126f3b029 ("keys, user: Fix high order allocation in user_instantiate()")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 security/keys/user_defined.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index b13d70b69069..c3196db50e30 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -184,8 +184,10 @@  void user_destroy(struct key *key)
 {
 	struct user_key_payload *upayload = key->payload.data;
 
-	memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
-	kvfree(upayload);
+	if (upayload) {
+		memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
+		kvfree(upayload);
+	}
 }
 
 EXPORT_SYMBOL_GPL(user_destroy);