From 49e3f5a83e0150115261225287385fdd2c93d811 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 8 Jan 2016 15:05:55 +0100 Subject: keys: CVE-2014-9529 Fixes a race condition flaw in the Linux kernel keys management. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=cf69173f59163182c12e0ecbda52721397468763 Signed-off-by: Sona Sarmadi Signed-off-by: Paul Vaduva --- .../files/keys-CVE-2014-9529-3.14-kernel.patch | 52 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 + 2 files changed, 53 insertions(+) create mode 100644 recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch diff --git a/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch new file mode 100644 index 0000000..411c66e --- /dev/null +++ b/recipes-kernel/linux/files/keys-CVE-2014-9529-3.14-kernel.patch @@ -0,0 +1,52 @@ +From cf69173f59163182c12e0ecbda52721397468763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2014 09:39:01 -0500 +Subject: KEYS: close race between key lookup and freeing + +commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. + +When a key is being garbage collected, it's key->user would get put before +the ->destroy() callback is called, where the key is removed from it's +respective tracking structures. + +This leaves a key hanging in a semi-invalid state which leaves a window open +for a different task to try an access key->user. An example is +find_keyring_by_name() which would dereference key->user for a key that is +in the process of being garbage collected (where key->user was freed but +->destroy() wasn't called yet - so it's still present in the linked list). + +This would cause either a panic, or corrupt memory. + +Fixes CVE-2014-9529. +Upstream-Status: Backport + +Signed-off-by: Sasha Levin +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + security/keys/gc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/keys/gc.c b/security/keys/gc.c +index d3222b6..009d937 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) + atomic_dec(&key->user->nikeys); + +- key_user_put(key->user); +- + /* now throw away the key memory */ + if (key->type->destroy) + key->type->destroy(key); + ++ key_user_put(key->user); ++ + kfree(key->description); + + #ifdef KEY_DEBUGGING +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index b7933d1..10ea463 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -3,6 +3,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ file://splice-CVE-2014-7822-3.14-kernel.patch \ file://netfilter-CVE-2014-8160-3.14-kernel.patch \ + file://keys-CVE-2014-9529-3.14-kernel.patch \ file://keys-CVE-2015-1333.patch \ file://udp_fix_behavior_of_wrong_checksums.patch \ file://net-CVE-2015-2041.patch \ -- cgit v1.2.3-54-g00ecf