Commit 97826c82 authored Nov 13, 2013 by David Howells

KEYS: Fix error handling in big_key instantiation



In the big_key_instantiate() function we return 0 if kernel_write() returns us
an error rather than returning an error.  This can potentially lead to
dentry_open() giving a BUG when called from big_key_read() with an unset
tmpfile path.

	------------[ cut here ]------------
	kernel BUG at fs/open.c:798!
	...
	RIP: 0010:[<ffffffff8119bbd1>] dentry_open+0xd1/0xe0
	...
	Call Trace:
	 [<ffffffff812350c5>] big_key_read+0x55/0x100
	 [<ffffffff81231084>] keyctl_read_key+0xb4/0xe0
	 [<ffffffff81231e58>] SyS_keyctl+0xf8/0x1d0
	 [<ffffffff815bb799>] system_call_fastpath+0x16/0x1b


Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

parent fbf8c53f

security/keys/big_key.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -78,6 +78,7 @@ int big_key_instantiate(struct key key, struct key_preparsed_payload prep)

		written = kernel_write(file, prep->data, prep->datalen, 0);
		if (written != datalen) {
		ret = written;
		if (written >= 0)
		ret = -ENOMEM;
		goto err_fput;