From 0f872cd4568b47572a581f73a1661029d1db7987 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 15 Jun 2016 09:37:42 -0400
Subject: [PATCH] CVE-2016-4470 keys: uninitialized variable crash (rhbz
 1341716 1346626)

---
 KEYS-potential-uninitialized-variable.patch | 30 +++++++++++++++++++++
 kernel.spec                                 |  6 +++++
 2 files changed, 36 insertions(+)
 create mode 100644 KEYS-potential-uninitialized-variable.patch

diff --git a/KEYS-potential-uninitialized-variable.patch b/KEYS-potential-uninitialized-variable.patch
new file mode 100644
index 000000000..23cabbb2e
--- /dev/null
+++ b/KEYS-potential-uninitialized-variable.patch
@@ -0,0 +1,30 @@
+From 82a50018782f84e733e718d4b24e1653d19333be Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 Jun 2016 09:31:45 -0400
+Subject: [PATCH] KEYS: potential uninitialized variable
+
+If __key_link_begin() failed then "edit" would be uninitialized.  I've
+added a check to fix that.
+
+Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+---
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index bd5a272f28a6..346fbf201c22 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key,
+ 
+ 	mutex_unlock(&key_construction_mutex);
+ 
+-	if (keyring)
++	if (keyring && link_ret == 0)
+ 		__key_link_end(keyring, &key->index_key, edit);
+ 
+ 	/* wake up anyone waiting for a key to be constructed */
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 71d7bfa82..b825cdd6d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -633,6 +633,9 @@ Patch723: proc-prevent-stacking-filesystems-on-top.patch
 Patch725: ecryptfs-forbid-opening-files-without-mmap-handler.patch
 Patch726: sched-panic-on-corrupted-stack-end.patch
 
+#CVE-2016-4470 rhbz 1341716 1346626
+Patch727: KEYS-potential-uninitialized-variable.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2158,6 +2161,9 @@ fi
 #
 # 
 %changelog
+* Wed Jun 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4470 keys: uninitialized variable crash (rhbz 1341716 1346626)
+
 * Tue Jun 14 2016 Peter Robinson <pbrobinson@fedoraproject.org>
 - Enable Infiniband on ARM now we have HW