diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-21 11:10:27 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-22 01:49:30 +0100 |
commit | 618f92251544de938a21b88be6205b42e03e9d44 (patch) | |
tree | 0173482f79d4e9f0cadb2388583304ff090baa78 /recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch | |
parent | b743c20e004d23a8eb0f5f7553a0c709284336c0 (diff) | |
download | meta-enea-618f92251544de938a21b88be6205b42e03e9d44.tar.gz |
security-keys: CVE-2016-0728
Fixes possible use-after-free vulnerability in keyring facility.
Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
?id=3a50597de8635cd05133bd12c95681c82fe7b878
References:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-
a-linux-kernel-vulnerability-cve-2016-0728/
https://bugzilla.redhat.com/show_bug.cgi?id=1297475
Red Hat KCS article:
https://access.redhat.com/articles/2131021
Patch is taken from:
https://bugzilla.redhat.com/attachment.cgi?id=1116563
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch')
-rw-r--r-- | recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch b/recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch new file mode 100644 index 0000000..40aa836 --- /dev/null +++ b/recipes-kernel/linux/files/security-keys-CVE-2016-0728.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | commit 5c65d8a9989a89901b87ad13a06011a9a0e3d828 | ||
2 | Author: Yevgeny Pats <yevgeny@perception-point.io> | ||
3 | Date: Mon Jan 11 12:05:28 2016 +0000 | ||
4 | |||
5 | KEYS: Fix keyring ref leak in join_session_keyring() | ||
6 | |||
7 | If a thread is asked to join as a session keyring the keyring that's already | ||
8 | set as its session, we leak a keyring reference. | ||
9 | |||
10 | This can be tested with the following program: | ||
11 | |||
12 | #include <stddef.h> | ||
13 | #include <stdio.h> | ||
14 | #include <sys/types.h> | ||
15 | #include <keyutils.h> | ||
16 | |||
17 | int main(int argc, const char *argv[]) | ||
18 | { | ||
19 | int i = 0; | ||
20 | key_serial_t serial; | ||
21 | |||
22 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | ||
23 | "leaked-keyring"); | ||
24 | if (serial < 0) { | ||
25 | perror("keyctl"); | ||
26 | return -1; | ||
27 | } | ||
28 | |||
29 | if (keyctl(KEYCTL_SETPERM, serial, | ||
30 | KEY_POS_ALL | KEY_USR_ALL) < 0) { | ||
31 | perror("keyctl"); | ||
32 | return -1; | ||
33 | } | ||
34 | |||
35 | for (i = 0; i < 100; i++) { | ||
36 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | ||
37 | "leaked-keyring"); | ||
38 | if (serial < 0) { | ||
39 | perror("keyctl"); | ||
40 | return -1; | ||
41 | } | ||
42 | } | ||
43 | |||
44 | return 0; | ||
45 | } | ||
46 | |||
47 | If, after the program has run, there something like the following line in | ||
48 | /proc/keys: | ||
49 | |||
50 | 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty | ||
51 | |||
52 | with a usage count of 100 * the number of times the program has been run, | ||
53 | then the kernel is malfunctioning. If leaked-keyring has zero usages or | ||
54 | has been garbage collected, then the problem is fixed. | ||
55 | |||
56 | Fixes CVE-2016-0728. | ||
57 | Upstream-Status: Backport from https://bugzilla.redhat.com/show_bug.cgi?id=1297475 | ||
58 | |||
59 | Reported-by: Yevgeny Pats <yevgeny@perception-point.io> | ||
60 | Signed-off-by: David Howells <dhowells@redhat.com> | ||
61 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
62 | |||
63 | diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c | ||
64 | index a3f85d2a00bb..e6d50172872f 100644 | ||
65 | --- a/security/keys/process_keys.c | ||
66 | +++ b/security/keys/process_keys.c | ||
67 | @@ -794,6 +794,7 @@ long join_session_keyring(const char *name) | ||
68 | ret = PTR_ERR(keyring); | ||
69 | goto error2; | ||
70 | } else if (keyring == new->session_keyring) { | ||
71 | + key_put(keyring); | ||
72 | ret = 0; | ||
73 | goto error2; | ||
74 | } | ||