|
Chuck Ebbert |
a4789ad |
From: David Howells <dhowells@redhat.com>
|
|
Chuck Ebbert |
a4789ad |
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
|
|
Chuck Ebbert |
a4789ad |
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
|
Chuck Ebbert |
a4789ad |
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
|
Chuck Ebbert |
a4789ad |
of the parent process's session keyring whether or not the parent has a session
|
|
Chuck Ebbert |
a4789ad |
keyring [CVE-2010-2960].
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
This results in the following oops:
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
|
Chuck Ebbert |
a4789ad |
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
|
Chuck Ebbert |
a4789ad |
...
|
|
Chuck Ebbert |
a4789ad |
Call Trace:
|
|
Chuck Ebbert |
a4789ad |
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
|
Chuck Ebbert |
a4789ad |
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
|
Chuck Ebbert |
a4789ad |
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
|
Chuck Ebbert |
a4789ad |
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
if the parent process has no session keyring.
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
If the system is using pam_keyinit then it mostly protected against this as all
|
|
Chuck Ebbert |
a4789ad |
processes derived from a login will have inherited the session keyring created
|
|
Chuck Ebbert |
a4789ad |
by pam_keyinit during the log in procedure.
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
|
Chuck Ebbert |
a4789ad |
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Chuck Ebbert |
a4789ad |
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
|
Chuck Ebbert |
a4789ad |
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Chuck Ebbert |
a4789ad |
---
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
[ 2.6.32 backport ]
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
diff a/security/keys/keyctl.c b/security/keys/keyctl.c
|
|
Chuck Ebbert |
a4789ad |
--- a/security/keys/keyctl.c
|
|
Chuck Ebbert |
a4789ad |
+++ b/security/keys/keyctl.c
|
|
Chuck Ebbert |
a4789ad |
@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
|
|
Chuck Ebbert |
a4789ad |
goto not_permitted;
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
/* the keyrings must have the same UID */
|
|
Chuck Ebbert |
a4789ad |
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
|
Chuck Ebbert |
a4789ad |
+ if ((pcred->tgcred->session_keyring &&
|
|
Chuck Ebbert |
a4789ad |
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
|
Chuck Ebbert |
a4789ad |
mycred->tgcred->session_keyring->uid != mycred->euid)
|
|
Chuck Ebbert |
a4789ad |
goto not_permitted;
|
|
Chuck Ebbert |
a4789ad |
|
|
Chuck Ebbert |
a4789ad |
|