Dmitry Vyukov <dvyu...@google.com> wrote: > > Does the attached patch fix it for you? > > Yes, it fixes the crash for me.
I have an additional patch to prevent keyrings from being constructed by request_key() at all (though it can still search for them). Could you give this a spin in addition to the previous one also? Thanks, David --- commit 27874345bb8d2c39f3d493607a86ecbfcb100405 Author: David Howells <dhowe...@redhat.com> Date: Mon Oct 19 11:20:28 2015 +0100 KEYS: Don't permit request_key() to construct a new keyring If request_key() is used to find a keyring, only do the search part - don't do the construction part if the keyring was not found by the search. We don't really want keyrings in the negative instantiated state since the rejected/negative instantiation error value in the payload is unioned with keyring metadata. Signed-off-by: David Howells <dhowe...@redhat.com> diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 486ef6fa393b..0d6253124278 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, kenter(""); + if (ctx->index_key.type == &key_type_keyring) + return ERR_PTR(-EPERM); + user = key_user_lookup(current_fsuid()); if (!user) return ERR_PTR(-ENOMEM); -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html