CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree().

[Wade Mealing <wmealing () redhat com>]

Gday,

A flaw was found in the Linux kernels keyring handling code, where in
key_reject_and_link() there's an uninitialised variable that isn't set
by __key_link_begin() on the destination keyring if that function
fails.

If a destination keyring was supplied, then __key_link_end() is called
whether or not __key_link_begin() succeeded, with the result that the
edit pointers contains members which end up being freed.   These are
the user controlled addresses that can exist from previous memory
contents.

Thanks,

Wade Mealing
Product Security Team

Resources:

https://bugzilla.redhat.com/show_bug.cgi?id=1341716

Patch:
https://www.spinics.net/lists/linux-kernel-janitors/msg26069.html