diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-21 13:14:31 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-22 03:17:52 +0100 |
commit | e568d65e41f3fde7db8a8aab60ac7e750ea73325 (patch) | |
tree | 576d79c9bb0eb91190942587faf8da6c0bdb4c82 /recipes-kernel/linux | |
parent | ac8af89d18d9ea12747354bbb8f34dc04c6613e9 (diff) | |
download | meta-hierofalcon-e568d65e41f3fde7db8a8aab60ac7e750ea73325.tar.gz |
security-keys: CVE-2016-0728
Fixes possible use-after-free vulnerability in keyring facility.
Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
?id=3a50597de8635cd05133bd12c95681c82fe7b878
References:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-
a-linux-kernel-vulnerability-cve-2016-0728/
https://bugzilla.redhat.com/show_bug.cgi?id=1297475
Red Hat KCS article:
https://access.redhat.com/articles/2131021
Patch is taken from:
https://bugzilla.redhat.com/attachment.cgi?id=1116563
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch | 74 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
3 files changed, 76 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch new file mode 100644 index 0000000..40aa836 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | commit 5c65d8a9989a89901b87ad13a06011a9a0e3d828 | ||
2 | Author: Yevgeny Pats <yevgeny@perception-point.io> | ||
3 | Date: Mon Jan 11 12:05:28 2016 +0000 | ||
4 | |||
5 | KEYS: Fix keyring ref leak in join_session_keyring() | ||
6 | |||
7 | If a thread is asked to join as a session keyring the keyring that's already | ||
8 | set as its session, we leak a keyring reference. | ||
9 | |||
10 | This can be tested with the following program: | ||
11 | |||
12 | #include <stddef.h> | ||
13 | #include <stdio.h> | ||
14 | #include <sys/types.h> | ||
15 | #include <keyutils.h> | ||
16 | |||
17 | int main(int argc, const char *argv[]) | ||
18 | { | ||
19 | int i = 0; | ||
20 | key_serial_t serial; | ||
21 | |||
22 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | ||
23 | "leaked-keyring"); | ||
24 | if (serial < 0) { | ||
25 | perror("keyctl"); | ||
26 | return -1; | ||
27 | } | ||
28 | |||
29 | if (keyctl(KEYCTL_SETPERM, serial, | ||
30 | KEY_POS_ALL | KEY_USR_ALL) < 0) { | ||
31 | perror("keyctl"); | ||
32 | return -1; | ||
33 | } | ||
34 | |||
35 | for (i = 0; i < 100; i++) { | ||
36 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | ||
37 | "leaked-keyring"); | ||
38 | if (serial < 0) { | ||
39 | perror("keyctl"); | ||
40 | return -1; | ||
41 | } | ||
42 | } | ||
43 | |||
44 | return 0; | ||
45 | } | ||
46 | |||
47 | If, after the program has run, there something like the following line in | ||
48 | /proc/keys: | ||
49 | |||
50 | 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty | ||
51 | |||
52 | with a usage count of 100 * the number of times the program has been run, | ||
53 | then the kernel is malfunctioning. If leaked-keyring has zero usages or | ||
54 | has been garbage collected, then the problem is fixed. | ||
55 | |||
56 | Fixes CVE-2016-0728. | ||
57 | Upstream-Status: Backport from https://bugzilla.redhat.com/show_bug.cgi?id=1297475 | ||
58 | |||
59 | Reported-by: Yevgeny Pats <yevgeny@perception-point.io> | ||
60 | Signed-off-by: David Howells <dhowells@redhat.com> | ||
61 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
62 | |||
63 | diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c | ||
64 | index a3f85d2a00bb..e6d50172872f 100644 | ||
65 | --- a/security/keys/process_keys.c | ||
66 | +++ b/security/keys/process_keys.c | ||
67 | @@ -794,6 +794,7 @@ long join_session_keyring(const char *name) | ||
68 | ret = PTR_ERR(keyring); | ||
69 | goto error2; | ||
70 | } else if (keyring == new->session_keyring) { | ||
71 | + key_put(keyring); | ||
72 | ret = 0; | ||
73 | goto error2; | ||
74 | } | ||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 6e44bbc..6e77066 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
@@ -28,6 +28,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
28 | file://ipv6-CVE-2015-2922.patch \ | 28 | file://ipv6-CVE-2015-2922.patch \ |
29 | file://ipv4-CVE-2015-3636.patch \ | 29 | file://ipv4-CVE-2015-3636.patch \ |
30 | file://usb-whiteheat-CVE-2015-5257.patch \ | 30 | file://usb-whiteheat-CVE-2015-5257.patch \ |
31 | file://security-keys-CVE-2016-0728.patch \ | ||
31 | " | 32 | " |
32 | 33 | ||
33 | S = "${WORKDIR}/git" | 34 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 7c5c537..61b1dae 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
27 | file://md-CVE-2015-5697.patch \ | 27 | file://md-CVE-2015-5697.patch \ |
28 | file://vhost-CVE-2015-6252.patch \ | 28 | file://vhost-CVE-2015-6252.patch \ |
29 | file://usb-whiteheat-CVE-2015-5257.patch \ | 29 | file://usb-whiteheat-CVE-2015-5257.patch \ |
30 | file://security-keys-CVE-2016-0728.patch \ | ||
30 | " | 31 | " |
31 | 32 | ||
32 | S = "${WORKDIR}/git" | 33 | S = "${WORKDIR}/git" |