The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh8-4.18.0-193.6.3.vz8.4.8 ------> commit c6c2414920d292dc6e9f877290bbbe4d1aab61aa Author: Konstantin Khorenko <khore...@virtuozzo.com> Date: Fri Sep 25 18:16:12 2020 +0300
keys,user: Fix NULL-ptr dereference in user_free_preparse() #PSBM-108291 user_free_preparse() can validly receive "prep" arg with NULL payload (prep->payload.data[0]) => add a check for that. key_create_or_update() { ... if (index_key.type->preparse) { ret = index_key.type->preparse(&prep); // user_preparse(), kvmalloc(), prep->payload.data[0] filled ... } ... ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); // it sets prep->payload.data[0] to NULL ... error_free_prep: if (index_key.type->preparse) index_key.type->free_preparse(&prep); // user_free_preparse(), memset(prep->payload.data[0], ...) // crash here ... } key_create_or_update() __key_instantiate_and_link() key->type->instantiate() == generic_key_instantiate() prep->payload.data[0] = NULL; Fixes: d77ff0bac744 ("keys, user: Fix high order allocation in user_instantiate()") https://jira.sw.ru/browse/PSBM-108291 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- security/keys/user_defined.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 54a4e0a48cf2..a1d80d3dad06 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -89,8 +89,10 @@ void user_free_preparse(struct key_preparsed_payload *prep) { struct user_key_payload *upayload = prep->payload.data[0]; - memset(upayload, 0, sizeof(*upayload) + upayload->datalen); - kvfree(upayload); + if (upayload) { + memset(upayload, 0, sizeof(*upayload) + upayload->datalen); + kvfree(upayload); + } } EXPORT_SYMBOL_GPL(user_free_preparse); _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel