rpms / kernel

Clone
Source Code
GIT

Blame KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   1fee66988434b8c5754b7890101bf450faefa490
  2.   KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
Blob History Raw
4c23aa3 
From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001
4c23aa3 
From: David Howells <dhowells@redhat.com>
4c23aa3 
Date: Mon, 18 Jan 2016 10:53:31 +0000
4c23aa3 
Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()
4c23aa3
4c23aa3 
This fixes CVE-2016-0728.
4c23aa3
4c23aa3 
If a thread is asked to join as a session keyring the keyring that's already
4c23aa3 
set as its session, we leak a keyring reference.
4c23aa3
4c23aa3 
This can be tested with the following program:
4c23aa3
4c23aa3 
	#include <stddef.h>
4c23aa3 
	#include <stdio.h>
4c23aa3 
	#include <sys/types.h>
4c23aa3 
	#include <keyutils.h>
4c23aa3
4c23aa3 
	int main(int argc, const char *argv[])
4c23aa3 
	{
4c23aa3 
		int i = 0;
4c23aa3 
		key_serial_t serial;
4c23aa3
4c23aa3 
		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
4c23aa3 
				"leaked-keyring");
4c23aa3 
		if (serial < 0) {
4c23aa3 
			perror("keyctl");
4c23aa3 
			return -1;
4c23aa3 
		}
4c23aa3
4c23aa3 
		if (keyctl(KEYCTL_SETPERM, serial,
4c23aa3 
			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
4c23aa3 
			perror("keyctl");
4c23aa3 
			return -1;
4c23aa3 
		}
4c23aa3
4c23aa3 
		for (i = 0; i < 100; i++) {
4c23aa3 
			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
4c23aa3 
					"leaked-keyring");
4c23aa3 
			if (serial < 0) {
4c23aa3 
				perror("keyctl");
4c23aa3 
				return -1;
4c23aa3 
			}
4c23aa3 
		}
4c23aa3
4c23aa3 
		return 0;
4c23aa3 
	}
4c23aa3
4c23aa3 
If, after the program has run, there something like the following line in
4c23aa3 
/proc/keys:
4c23aa3
4c23aa3 
3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
4c23aa3
4c23aa3 
with a usage count of 100 * the number of times the program has been run,
4c23aa3 
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
4c23aa3 
has been garbage collected, then the problem is fixed.
4c23aa3
4c23aa3 
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
4c23aa3 
Signed-off-by: David Howells <dhowells@redhat.com>
4c23aa3 
RH-bugzilla: 1298036
4c23aa3 
---
4c23aa3 
 security/keys/process_keys.c | 1 +
4c23aa3 
 1 file changed, 1 insertion(+)
4c23aa3
4c23aa3 
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
4c23aa3 
index 43b4cddbf2b3..7877e5cd4e23 100644
4c23aa3 
--- a/security/keys/process_keys.c
4c23aa3 
+++ b/security/keys/process_keys.c
4c23aa3 
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
4c23aa3 
 		ret = PTR_ERR(keyring);
4c23aa3 
 		goto error2;
4c23aa3 
 	} else if (keyring == new->session_keyring) {
4c23aa3 
+		key_put(keyring);
4c23aa3 
 		ret = 0;
4c23aa3 
 		goto error2;
4c23aa3 
 	}
4c23aa3 
--
4c23aa3 
2.5.0
4c23aa3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.