kernel/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch

From: David Howells <dhowells@redhat.com>
Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring

Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].

A program like the following:

	#include <unistd.h>
	#include <keyutils.h>
	int main(int argc, char **argv)
	{
		keyctl(KEYCTL_SESSION_TO_PARENT);
	}

can be used to trigger the following bug report:

	BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
	IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
	...
	Call Trace:
	 [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
	 [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
	 [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
	 [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b

if there is no parent process.

If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.

To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.

Signed-off-by: David Howells <dhowells@redhat.com>
---

 security/keys/keyctl.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 3868c67..60924f6 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
 		goto not_permitted;
 
 	/* the keyrings must have the same UID */
-	if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
+	if ((pcred->tgcred->session_keyring &&
+	     pcred->tgcred->session_keyring->uid != mycred->euid) ||
 	    mycred->tgcred->session_keyring->uid != mycred->euid)
 		goto not_permitted;