diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-08 15:05:55 +0100 |
---|---|---|
committer | Paul Vaduva <Paul.Vaduva@enea.com> | 2016-01-11 12:43:57 +0100 |
commit | 49e3f5a83e0150115261225287385fdd2c93d811 (patch) | |
tree | d0da3b5a4531c79dec57094ce9f0e979ca3559a5 | |
parent | 297be792a99a2ffdb13871f07bfb35eef6febdf2 (diff) | |
download | meta-enea-49e3f5a83e0150115261225287385fdd2c93d811.tar.gz |
keys: CVE-2014-9529
Fixes a race condition flaw in the Linux kernel keys management.
A local attacker could attempt accessing a key while it was being
garbage collected, which would cause the system to crash.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=cf69173f59163182c12e0ecbda52721397468763
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch | 52 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch new file mode 100644 index 0000000..411c66e --- /dev/null +++ b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From cf69173f59163182c12e0ecbda52721397468763 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sasha Levin <sasha.levin@oracle.com> | ||
3 | Date: Mon, 29 Dec 2014 09:39:01 -0500 | ||
4 | Subject: KEYS: close race between key lookup and freeing | ||
5 | |||
6 | commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. | ||
7 | |||
8 | When a key is being garbage collected, it's key->user would get put before | ||
9 | the ->destroy() callback is called, where the key is removed from it's | ||
10 | respective tracking structures. | ||
11 | |||
12 | This leaves a key hanging in a semi-invalid state which leaves a window open | ||
13 | for a different task to try an access key->user. An example is | ||
14 | find_keyring_by_name() which would dereference key->user for a key that is | ||
15 | in the process of being garbage collected (where key->user was freed but | ||
16 | ->destroy() wasn't called yet - so it's still present in the linked list). | ||
17 | |||
18 | This would cause either a panic, or corrupt memory. | ||
19 | |||
20 | Fixes CVE-2014-9529. | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
24 | Signed-off-by: David Howells <dhowells@redhat.com> | ||
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | security/keys/gc.c | 4 ++-- | ||
29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/security/keys/gc.c b/security/keys/gc.c | ||
32 | index d3222b6..009d937 100644 | ||
33 | --- a/security/keys/gc.c | ||
34 | +++ b/security/keys/gc.c | ||
35 | @@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) | ||
36 | if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) | ||
37 | atomic_dec(&key->user->nikeys); | ||
38 | |||
39 | - key_user_put(key->user); | ||
40 | - | ||
41 | /* now throw away the key memory */ | ||
42 | if (key->type->destroy) | ||
43 | key->type->destroy(key); | ||
44 | |||
45 | + key_user_put(key->user); | ||
46 | + | ||
47 | kfree(key->description); | ||
48 | |||
49 | #ifdef KEY_DEBUGGING | ||
50 | -- | ||
51 | cgit v0.11.2 | ||
52 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index b7933d1..10ea463 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -3,6 +3,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | |||
3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ | 3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ |
4 | file://splice-CVE-2014-7822-3.14-kernel.patch \ | 4 | file://splice-CVE-2014-7822-3.14-kernel.patch \ |
5 | file://netfilter-CVE-2014-8160-3.14-kernel.patch \ | 5 | file://netfilter-CVE-2014-8160-3.14-kernel.patch \ |
6 | file://keys-CVE-2014-9529-3.14-kernel.patch \ | ||
6 | file://keys-CVE-2015-1333.patch \ | 7 | file://keys-CVE-2015-1333.patch \ |
7 | file://udp_fix_behavior_of_wrong_checksums.patch \ | 8 | file://udp_fix_behavior_of_wrong_checksums.patch \ |
8 | file://net-CVE-2015-2041.patch \ | 9 | file://net-CVE-2015-2041.patch \ |