diff --git a/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch b/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch new file mode 100644 index 0000000..3837037 --- /dev/null +++ b/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -0,0 +1,125 @@ +From 3b34bea74e636583d34c8e472237a0bea1e3ba93 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 24 Nov 2015 21:36:31 +0000 +Subject: [PATCH] KEYS: Fix handling of stored error in a negatively + instantiated user key + +If a user key gets negatively instantiated, an error code is cached in the +payload area. A negatively instantiated key may be then be positively +instantiated by updating it with valid data. However, the ->update key +type method must be aware that the error code may be there. + +The following may be used to trigger the bug in the user key type: + + keyctl request2 user user "" @u + keyctl add user user "a" @u + +which manifests itself as: + + BUG: unable to handle kernel paging request at 00000000ffffff8a + IP: [] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046 + PGD 7cc30067 PUD 0 + Oops: 0002 [#1] SMP + Modules linked in: + CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000 + RIP: 0010:[] [] __call_rcu.constprop.76+0x1f/0x280 + [] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046 + RSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246 + RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001 + RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82 + RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82 + R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700 + FS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0 + Stack: + ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82 + ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5 + ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620 + Call Trace: + [] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136 + [] user_update+0x8b/0xb0 security/keys/user_defined.c:129 + [< inline >] __key_update security/keys/key.c:730 + [] key_create_or_update+0x291/0x440 security/keys/key.c:908 + [< inline >] SYSC_add_key security/keys/keyctl.c:125 + [] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60 + [] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185 + +Note the error code (-ENOKEY) in EDX. + +A similar bug can be tripped by: + + keyctl request2 trusted user "" @u + keyctl add trusted user "a" @u + +This should also affect encrypted keys - but that has to be correctly +parameterised or it will fail with EINVAL before getting to the bit that +will crashes. + +Reported-by: Dmitry Vyukov +Signed-off-by: David Howells +Acked-by: Mimi Zohar +Signed-off-by: James Morris +--- + security/keys/encrypted-keys/encrypted.c | 2 ++ + security/keys/trusted.c | 5 ++++- + security/keys/user_defined.c | 5 ++++- + 3 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c +index 7bed4ad7cd76..0a374a2ce030 100644 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep) + size_t datalen = prep->datalen; + int ret = 0; + ++ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ return -ENOKEY; + if (datalen <= 0 || datalen > 32767 || !prep->data) + return -EINVAL; + +diff --git a/security/keys/trusted.c b/security/keys/trusted.c +index c0594cb07ada..aeb38f1a12e7 100644 +--- a/security/keys/trusted.c ++++ b/security/keys/trusted.c +@@ -984,13 +984,16 @@ static void trusted_rcu_free(struct rcu_head *rcu) + */ + static int trusted_update(struct key *key, struct key_preparsed_payload *prep) + { +- struct trusted_key_payload *p = key->payload.data; ++ struct trusted_key_payload *p; + struct trusted_key_payload *new_p; + struct trusted_key_options *new_o; + size_t datalen = prep->datalen; + char *datablob; + int ret = 0; + ++ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ return -ENOKEY; ++ p = key->payload.data; + if (!p->migratable) + return -EPERM; + if (datalen <= 0 || datalen > 32767 || !prep->data) +diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c +index 36b47bbd3d8c..7cf22260bdff 100644 +--- a/security/keys/user_defined.c ++++ b/security/keys/user_defined.c +@@ -120,7 +120,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep) + + if (ret == 0) { + /* attach the new data, displacing the old */ +- zap = key->payload.data; ++ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ zap = key->payload.data; ++ else ++ zap = NULL; + rcu_assign_keypointer(key, upayload); + key->expiry = 0; + } +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index f213f0a..285baaa 100644 --- a/kernel.spec +++ b/kernel.spec @@ -649,6 +649,9 @@ Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch #CVE-2015-8374 rhbz 1286261 1286262 Patch565: Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch +#rhbz 1284059 +Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch + # END OF PATCH DEFINITIONS %endif @@ -2094,6 +2097,7 @@ fi # %changelog * Mon Nov 30 2015 Josh Boyer +- Fix crash in add_key (rhbz 1284059) - CVE-2015-8374 btrfs: info leak when truncating compressed/inlined extents (rhbz 1286261 1286262) * Fri Nov 20 2015 Justin M. Forbes