keys: CVE-2014-9529

Fixes a race condition flaw in the Linux kernel keys management. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=cf69173f59163182c12e0ecbda52721397468763 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-08 15:05:55 +0100
committer: Paul Vaduva <Paul.Vaduva@enea.com> 2016-01-11 12:43:57 +0100
commit: 49e3f5a83e0150115261225287385fdd2c93d811 (patch)
tree: d0da3b5a4531c79dec57094ce9f0e979ca3559a5
parent: 297be792a99a2ffdb13871f07bfb35eef6febdf2 (diff)
download: meta-enea-49e3f5a83e0150115261225287385fdd2c93d811.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch
new file mode 100644
index 0000000..411c66e
--- /dev/null
+++ b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch
@@ -0,0 +1,52 @@
+From cf69173f59163182c12e0ecbda52721397468763 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon, 29 Dec 2014 09:39:01 -0500
+Subject: KEYS: close race between key lookup and freeing
+commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
+When a key is being garbage collected, it's key->user would get put before
+the ->destroy() callback is called, where the key is removed from it's
+respective tracking structures.
+This leaves a key hanging in a semi-invalid state which leaves a window open
+for a different task to try an access key->user. An example is
+find_keyring_by_name() which would dereference key->user for a key that is
+in the process of being garbage collected (where key->user was freed but
+->destroy() wasn't called yet - so it's still present in the linked list).
+This would cause either a panic, or corrupt memory.
+Fixes CVE-2014-9529.
+Upstream-Status: Backport
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ security/keys/gc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index d3222b6..009d937 100644
+--- a/security/keys/gc.c
+++ b/security/keys/gc.c
+@@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+                if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
+                        atomic_dec(&key->user->nikeys);
+ 
+-               key_user_put(key->user);
+-
+                /* now throw away the key memory */
+                if (key->type->destroy)
+                        key->type->destroy(key);
+ 
+               key_user_put(key->user);
+
+                kfree(key->description);
+ 
+ #ifdef KEY_DEBUGGING
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index b7933d1..10ea463 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -3,6 +3,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
            file://splice-CVE-2014-7822-3.14-kernel.patch \
            file://netfilter-CVE-2014-8160-3.14-kernel.patch \
+            file://keys-CVE-2014-9529-3.14-kernel.patch \
            file://keys-CVE-2015-1333.patch \
            file://udp_fix_behavior_of_wrong_checksums.patch \
            file://net-CVE-2015-2041.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-08 15:05:55 +0100
committer	Paul Vaduva <Paul.Vaduva@enea.com>	2016-01-11 12:43:57 +0100
commit	49e3f5a83e0150115261225287385fdd2c93d811 (patch)
tree	d0da3b5a4531c79dec57094ce9f0e979ca3559a5
parent	297be792a99a2ffdb13871f07bfb35eef6febdf2 (diff)
download	meta-enea-49e3f5a83e0150115261225287385fdd2c93d811.tar.gz

diff --git a/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch new file mode 100644 index 0000000..411c66e --- /dev/null +++ b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch
@@ -0,0 +1,52 @@
		1	From cf69173f59163182c12e0ecbda52721397468763 Mon Sep 17 00:00:00 2001
		2	From: Sasha Levin <sasha.levin@oracle.com>
		3	Date: Mon, 29 Dec 2014 09:39:01 -0500
		4	Subject: KEYS: close race between key lookup and freeing
		5
		6	commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
		7
		8	When a key is being garbage collected, it's key->user would get put before
		9	the ->destroy() callback is called, where the key is removed from it's
		10	respective tracking structures.
		11
		12	This leaves a key hanging in a semi-invalid state which leaves a window open
		13	for a different task to try an access key->user. An example is
		14	find_keyring_by_name() which would dereference key->user for a key that is
		15	in the process of being garbage collected (where key->user was freed but
		16	->destroy() wasn't called yet - so it's still present in the linked list).
		17
		18	This would cause either a panic, or corrupt memory.
		19
		20	Fixes CVE-2014-9529.
		21	Upstream-Status: Backport
		22
		23	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		24	Signed-off-by: David Howells <dhowells@redhat.com>
		25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	security/keys/gc.c \| 4 ++--
		29	1 file changed, 2 insertions(+), 2 deletions(-)
		30
		31	diff --git a/security/keys/gc.c b/security/keys/gc.c
		32	index d3222b6..009d937 100644
		33	--- a/security/keys/gc.c
		34	+++ b/security/keys/gc.c
		35	@@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
		36	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
		37	atomic_dec(&key->user->nikeys);
		38
		39	- key_user_put(key->user);
		40	-
		41	/* now throw away the key memory */
		42	if (key->type->destroy)
		43	key->type->destroy(key);
		44
		45	+ key_user_put(key->user);
		46	+
		47	kfree(key->description);
		48
		49	#ifdef KEY_DEBUGGING
		50	--
		51	cgit v0.11.2
		52


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index b7933d1..10ea463 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -3,6 +3,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \	3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
4	file://splice-CVE-2014-7822-3.14-kernel.patch \	4	file://splice-CVE-2014-7822-3.14-kernel.patch \
5	file://netfilter-CVE-2014-8160-3.14-kernel.patch \	5	file://netfilter-CVE-2014-8160-3.14-kernel.patch \
		6	file://keys-CVE-2014-9529-3.14-kernel.patch \
6	file://keys-CVE-2015-1333.patch \	7	file://keys-CVE-2015-1333.patch \
7	file://udp_fix_behavior_of_wrong_checksums.patch \	8	file://udp_fix_behavior_of_wrong_checksums.patch \
8	file://net-CVE-2015-2041.patch \	9	file://net-CVE-2015-2041.patch \