summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-01-21 13:14:31 +0100
committerTudor Florea <tudor.florea@enea.com>2016-01-22 03:17:52 +0100
commite568d65e41f3fde7db8a8aab60ac7e750ea73325 (patch)
tree576d79c9bb0eb91190942587faf8da6c0bdb4c82 /recipes-kernel/linux
parentac8af89d18d9ea12747354bbb8f34dc04c6613e9 (diff)
downloadmeta-hierofalcon-e568d65e41f3fde7db8a8aab60ac7e750ea73325.tar.gz
security-keys: CVE-2016-0728
Fixes possible use-after-free vulnerability in keyring facility. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ ?id=3a50597de8635cd05133bd12c95681c82fe7b878 References: http://perception-point.io/2016/01/14/analysis-and-exploitation-of- a-linux-kernel-vulnerability-cve-2016-0728/ https://bugzilla.redhat.com/show_bug.cgi?id=1297475 Red Hat KCS article: https://access.redhat.com/articles/2131021 Patch is taken from: https://bugzilla.redhat.com/attachment.cgi?id=1116563 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r--recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch74
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
3 files changed, 76 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch
new file mode 100644
index 0000000..40aa836
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch
@@ -0,0 +1,74 @@
1commit 5c65d8a9989a89901b87ad13a06011a9a0e3d828
2Author: Yevgeny Pats <yevgeny@perception-point.io>
3Date: Mon Jan 11 12:05:28 2016 +0000
4
5 KEYS: Fix keyring ref leak in join_session_keyring()
6
7 If a thread is asked to join as a session keyring the keyring that's already
8 set as its session, we leak a keyring reference.
9
10 This can be tested with the following program:
11
12 #include <stddef.h>
13 #include <stdio.h>
14 #include <sys/types.h>
15 #include <keyutils.h>
16
17 int main(int argc, const char *argv[])
18 {
19 int i = 0;
20 key_serial_t serial;
21
22 serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
23 "leaked-keyring");
24 if (serial < 0) {
25 perror("keyctl");
26 return -1;
27 }
28
29 if (keyctl(KEYCTL_SETPERM, serial,
30 KEY_POS_ALL | KEY_USR_ALL) < 0) {
31 perror("keyctl");
32 return -1;
33 }
34
35 for (i = 0; i < 100; i++) {
36 serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
37 "leaked-keyring");
38 if (serial < 0) {
39 perror("keyctl");
40 return -1;
41 }
42 }
43
44 return 0;
45 }
46
47 If, after the program has run, there something like the following line in
48 /proc/keys:
49
50 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
51
52 with a usage count of 100 * the number of times the program has been run,
53 then the kernel is malfunctioning. If leaked-keyring has zero usages or
54 has been garbage collected, then the problem is fixed.
55
56 Fixes CVE-2016-0728.
57 Upstream-Status: Backport from https://bugzilla.redhat.com/show_bug.cgi?id=1297475
58
59 Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
60 Signed-off-by: David Howells <dhowells@redhat.com>
61 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
62
63diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
64index a3f85d2a00bb..e6d50172872f 100644
65--- a/security/keys/process_keys.c
66+++ b/security/keys/process_keys.c
67@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
68 ret = PTR_ERR(keyring);
69 goto error2;
70 } else if (keyring == new->session_keyring) {
71+ key_put(keyring);
72 ret = 0;
73 goto error2;
74 }
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 6e44bbc..6e77066 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
28 file://ipv6-CVE-2015-2922.patch \ 28 file://ipv6-CVE-2015-2922.patch \
29 file://ipv4-CVE-2015-3636.patch \ 29 file://ipv4-CVE-2015-3636.patch \
30 file://usb-whiteheat-CVE-2015-5257.patch \ 30 file://usb-whiteheat-CVE-2015-5257.patch \
31 file://security-keys-CVE-2016-0728.patch \
31 " 32 "
32 33
33S = "${WORKDIR}/git" 34S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 7c5c537..61b1dae 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
27 file://md-CVE-2015-5697.patch \ 27 file://md-CVE-2015-5697.patch \
28 file://vhost-CVE-2015-6252.patch \ 28 file://vhost-CVE-2015-6252.patch \
29 file://usb-whiteheat-CVE-2015-5257.patch \ 29 file://usb-whiteheat-CVE-2015-5257.patch \
30 file://security-keys-CVE-2016-0728.patch \
30 " 31 "
31 32
32S = "${WORKDIR}/git" 33S = "${WORKDIR}/git"