Avoid leaking memory in the keyctl() KEYCTL_INSTANTIATE_IOV operation, by also
checking in the error case if rw_copy_check_uvector() kmalloc'd memory for us.
Discovered with Trinity.
Signed-off-by: Tommi Rantala <[email protected]>
---
security/keys/keyctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 5d34b4e..a2c32a2 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1132,12 +1132,13 @@ long keyctl_instantiate_key_iov(key_serial_t id,
ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
ARRAY_SIZE(iovstack), iovstack, &iov);
if (ret < 0)
- return ret;
+ goto out;
if (ret == 0)
goto no_payload_free;
ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+out:
if (iov != iovstack)
kfree(iov);
return ret;
--
1.7.9.5