diff mbox series

[5.8,103/124] rxrpc: Fix server keyring leak

Message ID	20201012133151.848250785@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=uWP8=DT=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, David Howells <dhowells@redhat.com>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.8 103/124] rxrpc: Fix server keyring leak Date: Mon, 12 Oct 2020 15:31:47 +0200 Message-Id: <20201012133151.848250785@linuxfoundation.org> In-Reply-To: <20201012133146.834528783@linuxfoundation.org> References: <20201012133146.834528783@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.8,002/124] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts [5.8,003/124] fbcon: Fix global-out-of-bounds read in fbcon_get_font() [5.8,006/124] crypto: arm64: Use x16 with indirect branch to bti_c [5.8,007/124] exfat: fix use of uninitialized spinlock on error path [5.8,008/124] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() [5.8,010/124] drm/nouveau/mem: guard against NULL pointer access in mem_del [5.8,011/124] partitions/ibm: fix non-DASD devices [5.8,013/124] vhost: Dont call access_ok() when using IOTLB [5.8,016/124] splice: teach splice pipe reading about empty pipe buffers [5.8,017/124] Platform: OLPC: Fix memleak in olpc_ec_probe [5.8,020/124] platform/x86: asus-wmi: Fix SW_TABLET_MODE always reporting 1 on many different models [5.8,021/124] bpf: Fix sysfs export of empty BTF section [5.8,022/124] bpf: Prevent .BTF section elimination [5.8,024/124] platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting [5.8,028/124] RISC-V: Make sure memblock reserves the memory containing DT [5.8,029/124] gpiolib: Disable compat ->read() code in UML case [5.8,032/124] tcp: use sendpage_ok() to detect misused .sendpage [5.8,035/124] espintcp: restore IP CB before handing the packet to xfrm [5.8,036/124] cifs: Fix incomplete memory allocation on setxattr path [5.8,037/124] i2c: meson: fix clock setting overwrite [5.8,038/124] i2c: meson: keep peripheral clock enabled [5.8,044/124] openvswitch: handle DNAT tuple collision [5.8,045/124] drm/amdgpu: prevent double kfree ttm->sg [5.8,046/124] btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing [5.8,047/124] io_uring: fix potential ABBA deadlock in ->show_fdinfo() [5.8,049/124] drm/amd/display: fix return value check for hdcp_work [5.8,050/124] drm/vmwgfx: Fix error handling in get_node [5.8,052/124] iommu/vt-d: Fix lockdep splat in iommu_flush_dev_iotlb() [5.8,053/124] xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate [5.8,054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate [5.8,056/124] xfrm: clone whole liftime_cur structure in xfrm_do_migrate [5.8,059/124] platform/x86: fix kconfig dependency warning for LG_LAPTOP [5.8,061/124] hinic: add log in exception handling processes [5.8,064/124] xfrm: Use correct address family in xfrm_state_find [5.8,066/124] iavf: Fix incorrect adapter get in iavf_resume [5.8,067/124] ice: fix memory leak if register_netdev_fails [5.8,069/124] vmxnet3: fix cksum offload issues for non-udp tunnels [5.8,071/124] net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop [5.8,073/124] mdio: fix mdio-thunder.c dependency & build error [5.8,077/124] virtio-net: dont disable guest csum when disable LRO [5.8,080/124] octeontx2-pf: Fix TCP/UDP checksum offload for IPv6 frames [5.8,082/124] octeontx2-pf: Fix synchnorization issue in mbox [5.8,085/124] net/mlx5: Avoid possible free of command entry while timeout comp handler [5.8,086/124] net/mlx5: poll cmd EQ in case of command timeout [5.8,089/124] net/mlx5e: Add resiliency in Striding RQ mode for packets larger than MTU [5.8,093/124] net/mlx5e: Fix race condition on nhe->n pointer in neigh update [5.8,095/124] net: hinic: fix DEVLINK build errors [5.8,098/124] net: mvneta: fix double free of txq->buf [5.8,100/124] rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() [5.8,101/124] rxrpc: Fix some missing _bh annotations on locking conn->state_lock [5.8,103/124] rxrpc: Fix server keyring leak [5.8,104/124] net: mscc: ocelot: rename ocelot_board.c to ocelot_vsc7514.c [5.8,106/124] net: mscc: ocelot: extend watermark encoding function [5.8,107/124] net: mscc: ocelot: divide watermark value by 60 when writing to SYS_ATOP [5.8,112/124] mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khu... [5.8,114/124] netlink: fix policy dump leak [5.8,115/124] net/core: check length before updating Ethertype in skb_mpls_{push,pop} [5.8,116/124] net: bridge: fdb: dont flush ext_learn entries [5.8,117/124] net/tls: race causes kernel panic [5.8,118/124] net/mlx5e: Fix drivers declaration to support GRE offload [5.8,121/124] net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails [5.8,122/124] net: qrtr: ns: Protect radix_tree_deref_slot() using rcu read locks [5.8,124/124] net_sched: commit action insertions together

Commit Message

Greg Kroah-Hartman Oct. 12, 2020, 1:31 p.m. UTC

From: David Howells <dhowells@redhat.com>

[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ]

If someone calls setsockopt() twice to set a server key keyring, the first
keyring is leaked.

Fix it to return an error instead if the server key keyring is already set.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/key.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 64cbbd2f16944..85a9ff8cd236a 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -903,7 +903,7 @@  int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
 
 	_enter("");
 
-	if (optlen <= 0 || optlen > PAGE_SIZE - 1)
+	if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
 		return -EINVAL;
 
 	description = memdup_user_nul(optval, optlen);