[RHEL8,COMMIT] keys, user: fix NULL-ptr dereference in user_destroy() #PSBM-108198

Submitted by Konstantin Khorenko on Sept. 24, 2020, 1:49 p.m.

Details

Message ID 202009241349.08ODnw7T371615@finist-co8.sw.ru
State New
Series "keys, user: fix NULL-ptr dereference in user_destroy() #PSBM-108198"
Headers show

Commit Message

Konstantin Khorenko Sept. 24, 2020, 1:49 p.m.
The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.7
------>
commit aa398a57928328c8be2bf3fd19da9f734bb5e0f4
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Wed Sep 23 15:55:59 2020 +0300

    keys,user: fix NULL-ptr dereference in user_destroy() #PSBM-108198
    
    key->payload.data could be NULL
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
    IP: user_destroy+0x13/0x30
    
    Call Trace:
      key_gc_unused_keys.constprop.1+0xfd/0x110
      key_garbage_collector+0x1d7/0x390
      process_one_work+0x185/0x440
      worker_thread+0x126/0x3c0
      kthread+0xd1/0xe0
      ret_from_fork_nospec_begin+0x7/0x21
    
    Add the necessary check to fix this.
    
    https://jira.sw.ru/browse/PSBM-108198
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    
    Fixes: d77ff0bac744 ("keys, user: Fix high order allocation in user_instantiate()")
    (cherry picked from commit a0e271fd8929312b1c5dab72fbc8bc336a296b45)
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 security/keys/user_defined.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 39add3cd78ef..54a4e0a48cf2 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -156,8 +156,10 @@  void user_destroy(struct key *key)
 {
 	struct user_key_payload *upayload = key->payload.data[0];
 
-	memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
-	kvfree(upayload);
+	if (upayload) {
+		memset(upayload, 0, sizeof(*upayload) + upayload->datalen);
+		kvfree(upayload);
+	}
 }
 
 EXPORT_SYMBOL_GPL(user_destroy);