From e568d65e41f3fde7db8a8aab60ac7e750ea73325 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Thu, 21 Jan 2016 13:14:31 +0100
Subject: security-keys: CVE-2016-0728

Fixes possible use-after-free vulnerability in keyring facility.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
?id=3a50597de8635cd05133bd12c95681c82fe7b878

References:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-
a-linux-kernel-vulnerability-cve-2016-0728/
https://bugzilla.redhat.com/show_bug.cgi?id=1297475

Red Hat KCS article:
https://access.redhat.com/articles/2131021

Patch is taken from:
https://bugzilla.redhat.com/attachment.cgi?id=1116563

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../security-keys-CVE-2016-0728.patch              | 74 ++++++++++++++++++++++
 recipes-kernel/linux/linux-hierofalcon_3.19.bb     |  1 +
 recipes-kernel/linux/linux-hierofalcon_4.1.bb      |  1 +
 3 files changed, 76 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch

diff --git a/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch
new file mode 100644
index 0000000..40aa836
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch
@@ -0,0 +1,74 @@
+commit 5c65d8a9989a89901b87ad13a06011a9a0e3d828
+Author: Yevgeny Pats <yevgeny@perception-point.io>
+Date:   Mon Jan 11 12:05:28 2016 +0000
+
+    KEYS: Fix keyring ref leak in join_session_keyring()
+    
+    If a thread is asked to join as a session keyring the keyring that's already
+    set as its session, we leak a keyring reference.
+    
+    This can be tested with the following program:
+    
+    	#include <stddef.h>
+    	#include <stdio.h>
+    	#include <sys/types.h>
+    	#include <keyutils.h>
+    
+    	int main(int argc, const char *argv[])
+    	{
+    		int i = 0;
+    		key_serial_t serial;
+    
+    		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+    				"leaked-keyring");
+    		if (serial < 0) {
+    			perror("keyctl");
+    			return -1;
+    		}
+    
+    		if (keyctl(KEYCTL_SETPERM, serial,
+    			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
+    			perror("keyctl");
+    			return -1;
+    		}
+    
+    		for (i = 0; i < 100; i++) {
+    			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+    					"leaked-keyring");
+    			if (serial < 0) {
+    				perror("keyctl");
+    				return -1;
+    			}
+    		}
+    
+    		return 0;
+    	}
+    
+    If, after the program has run, there something like the following line in
+    /proc/keys:
+    
+    3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
+    
+    with a usage count of 100 * the number of times the program has been run,
+    then the kernel is malfunctioning.  If leaked-keyring has zero usages or
+    has been garbage collected, then the problem is fixed.
+
+    Fixes CVE-2016-0728.
+    Upstream-Status: Backport from https://bugzilla.redhat.com/show_bug.cgi?id=1297475
+    
+    Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
+    Signed-off-by: David Howells <dhowells@redhat.com>
+    Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index a3f85d2a00bb..e6d50172872f 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 6e44bbc..6e77066 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
            file://ipv6-CVE-2015-2922.patch \
            file://ipv4-CVE-2015-3636.patch \
            file://usb-whiteheat-CVE-2015-5257.patch \
+           file://security-keys-CVE-2016-0728.patch \
            "
 
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 7c5c537..61b1dae 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -27,6 +27,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
            file://md-CVE-2015-5697.patch \
            file://vhost-CVE-2015-6252.patch \
            file://usb-whiteheat-CVE-2015-5257.patch \
+           file://security-keys-CVE-2016-0728.patch \
            "
 
 S = "${WORKDIR}/git"
-- 
cgit v1.2.3-54-g00ecf