From 3ebdb989938e07e07dc8f0a39d7eca1148e4d815 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Jul 27 2015 14:51:57 +0000
Subject: CVE-2015-1333 add_key memory leak (rhbz 1244171)


---

diff --git a/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch b/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
new file mode 100644
index 0000000..dc43b8a
--- /dev/null
+++ b/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
@@ -0,0 +1,45 @@
+From 3881b164810a564714dfdc16520b0fe538ae4bf7 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 27 Jul 2015 15:23:43 +0100
+Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
+
+__key_link_end is not freeing the associated array edit structure
+and this leads to a 512 byte memory leak each time an identical
+existing key is added with add_key().
+
+The reason the add_key() system call returns okay is that
+key_create_or_update() calls __key_link_begin() before checking to see
+whether it can update a key directly rather than adding/replacing - which
+it turns out it can.  Thus __key_link() is not called through
+__key_instantiate_and_link() and __key_link_end() must cancel the edit.
+
+CVE-2015-1333
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/keyring.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index e72548b5897e..d33437007ad2 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
+ 	if (index_key->type == &key_type_keyring)
+ 		up_write(&keyring_serialise_link_sem);
+ 
+-	if (edit && !edit->dead_leaf) {
+-		key_payload_reserve(keyring,
+-				    keyring->datalen - KEYQUOTA_LINK_BYTES);
++	if (edit) {
++		if (!edit->dead_leaf) {
++			key_payload_reserve(keyring,
++				keyring->datalen - KEYQUOTA_LINK_BYTES);
++		}
+ 		assoc_array_cancel_edit(edit);
+ 	}
+ 	up_write(&keyring->sem);
+-- 
+2.4.3
+
diff --git a/kernel.spec b/kernel.spec
index 3e9d499..85ea105 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -637,6 +637,9 @@ Patch26252: ideapad_laptop-Lenovo-G50-30-fix-rfkill-reports-wire.patch
 # rhbz 1180920 1206724
 Patch26253: pcmcia-fix-a-boot-time-warning-in-pcmcia-cs-code.patch
 
+#CVE-2015-1333 rhbz 1244171
+Patch26254: KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1380,6 +1383,9 @@ ApplyPatch ideapad_laptop-Lenovo-G50-30-fix-rfkill-reports-wire.patch
 # rhbz 1180920 1206724
 ApplyPatch pcmcia-fix-a-boot-time-warning-in-pcmcia-cs-code.patch
 
+#CVE-2015-1333 rhbz 1244171
+ApplyPatch KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2239,6 +2245,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Jul 27 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-1333 add_key memory leak (rhbz 1244171)
+
 * Thu Jul 23 2015 Laura Abbott <labbott@fedoraproject.org> - 4.1.3-100
 - Linux v4.1.3 rebase
 - Fix warning from pcmcia (rhbz 1180920 1206724)