recipes-kernel/linux/linux-hierofalcon/security-keys-CVE-2016-0728.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

commit 5c65d8a9989a89901b87ad13a06011a9a0e3d828
Author: Yevgeny Pats <yevgeny@perception-point.io>
Date:   Mon Jan 11 12:05:28 2016 +0000

    KEYS: Fix keyring ref leak in join_session_keyring()
    
    If a thread is asked to join as a session keyring the keyring that's already
    set as its session, we leak a keyring reference.
    
    This can be tested with the following program:
    
    	#include <stddef.h>
    	#include <stdio.h>
    	#include <sys/types.h>
    	#include <keyutils.h>
    
    	int main(int argc, const char *argv[])
    	{
    		int i = 0;
    		key_serial_t serial;
    
    		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    				"leaked-keyring");
    		if (serial < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		if (keyctl(KEYCTL_SETPERM, serial,
    			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		for (i = 0; i < 100; i++) {
    			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    					"leaked-keyring");
    			if (serial < 0) {
    				perror("keyctl");
    				return -1;
    			}
    		}
    
    		return 0;
    	}
    
    If, after the program has run, there something like the following line in
    /proc/keys:
    
    3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
    
    with a usage count of 100 * the number of times the program has been run,
    then the kernel is malfunctioning.  If leaked-keyring has zero usages or
    has been garbage collected, then the problem is fixed.

    Fixes CVE-2016-0728.
    Upstream-Status: Backport from https://bugzilla.redhat.com/show_bug.cgi?id=1297475
    
    Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index a3f85d2a00bb..e6d50172872f 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
 		ret = PTR_ERR(keyring);
 		goto error2;
 	} else if (keyring == new->session_keyring) {
+		key_put(keyring);
 		ret = 0;
 		goto error2;
 	}