Revert extra fix for credentials leak (#683568)
This commit is contained in:
Chuck Ebbert
parent
d54c89365e
commit
1caa10e2d5
|
|
@ -2158,9 +2158,10 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Apr 18 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.12-89
|
||||
* Mon Apr 20 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.12-89
|
||||
- Revert TPM patches from -stable (c4ff4b829, 9b29050f8) that caused
|
||||
timeouts and suspend failures (#695953)
|
||||
- Revert extra fix for credentials leak (#683568)
|
||||
|
||||
* Thu Mar 31 2011 Kyle McMartin <kmcmartin@redhat.com> 2.6.35.12-88
|
||||
- Update to longterm 2.6.35.12, drop upstream patches.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,79 @@
|
|||
From foo
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Subject: Fix cred leak in AF_NETLINK
|
||||
|
||||
Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree
|
||||
stored a ref to the current cred struct in struct scm_cookie. This was fine
|
||||
with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
|
||||
AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
|
||||
that the copied credentials leak each time SCM data is sent over a netlink
|
||||
socket.
|
||||
|
||||
This can be triggered quite simply on a Fedora 13 or 14 userspace with the
|
||||
2.6.35.11 kernel (or something based off of that) by calling:
|
||||
|
||||
#!/bin/bash
|
||||
for ((i=0; i<100; i++))
|
||||
do
|
||||
su - -c /bin/true
|
||||
cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
|
||||
cat /proc/keys | wc -l
|
||||
done
|
||||
|
||||
This leaks the session key that pam_keyinit creates for 'su -', which appears
|
||||
in /proc/keys as being revoked (has the R flag set against it) afterward su is
|
||||
called.
|
||||
|
||||
Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
|
||||
can be viewed and seen to increase. The key slab increases by one object per
|
||||
loop, and this can be seen after the system has had a couple of minutes to
|
||||
stand after the script above has been run on it.
|
||||
|
||||
If the system is working correctly, the key and cred counts should return to
|
||||
roughly what they were before.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Andi Kleen <ak@linux.intel.com>
|
||||
|
||||
---
|
||||
|
||||
net/netlink/af_netlink.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
Index: linux-2.6.35.y/net/netlink/af_netlink.c
|
||||
===================================================================
|
||||
--- linux-2.6.35.y.orig/net/netlink/af_netlink.c 2011-03-29 22:52:05.032059161 -0700
|
||||
+++ linux-2.6.35.y/net/netlink/af_netlink.c 2011-03-29 23:53:42.295455441 -0700
|
||||
@@ -1330,12 +1330,16 @@
|
||||
return err;
|
||||
|
||||
if (msg->msg_namelen) {
|
||||
- if (addr->nl_family != AF_NETLINK)
|
||||
- return -EINVAL;
|
||||
+ if (addr->nl_family != AF_NETLINK) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
dst_pid = addr->nl_pid;
|
||||
dst_group = ffs(addr->nl_groups);
|
||||
- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
|
||||
- return -EPERM;
|
||||
+ if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) {
|
||||
+ err = -EPERM;
|
||||
+ goto out;
|
||||
+ }
|
||||
} else {
|
||||
dst_pid = nlk->dst_pid;
|
||||
dst_group = nlk->dst_group;
|
||||
@@ -1387,6 +1391,8 @@
|
||||
err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
|
||||
|
||||
out:
|
||||
+ scm_destroy(siocb->scm);
|
||||
+ siocb->scm = NULL;
|
||||
return err;
|
||||
}
|
||||
|
||||
From c4ff4b829ef9e6353c0b133b7adb564a68054979 Mon Sep 17 00:00:00 2001
|
||||
From: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
|
||||
Date: Fri, 12 Nov 2010 22:30:02 +0100
|
||||
|
|
|
|||
Loading…
Reference in New Issue