From 47e44286b05205e9cdd3e5db1043616e1b05074b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Dec 2015 10:40:27 -0500 Subject: [PATCH] CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198) --- KEYS-Fix-race-between-read-and-revoke.patch | 108 ++++++++++++++++++++ kernel.spec | 6 ++ 2 files changed, 114 insertions(+) create mode 100644 KEYS-Fix-race-between-read-and-revoke.patch diff --git a/KEYS-Fix-race-between-read-and-revoke.patch b/KEYS-Fix-race-between-read-and-revoke.patch new file mode 100644 index 000000000..df0d9376b --- /dev/null +++ b/KEYS-Fix-race-between-read-and-revoke.patch @@ -0,0 +1,108 @@ +From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 14 Dec 2015 10:36:31 -0500 +Subject: [PATCH] KEYS: Fix race between read and revoke + +There's a race between keyctl_read() and keyctl_revoke(). If the revoke +happens between keyctl_read() checking the validity of a key and the key's +semaphore being taken, then the key type read method will see a revoked key. + +This causes a problem for the user-defined key type because it assumes in +its read method that there will always be a payload in a non-revoked key +and doesn't check for a NULL pointer. + +Fix this by making keyctl_read() check the validity of a key after taking +semaphore instead of before. + +This was discovered by a multithreaded test program generated by syzkaller +(http://github.com/google/syzkaller). Here's a cleaned up version: + + #include + #include + #include + void *thr0(void *arg) + { + key_serial_t key = (unsigned long)arg; + keyctl_revoke(key); + return 0; + } + void *thr1(void *arg) + { + key_serial_t key = (unsigned long)arg; + char buffer[16]; + keyctl_read(key, buffer, 16); + return 0; + } + int main() + { + key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); + pthread_t th[5]; + pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); + pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); + pthread_join(th[0], 0); + pthread_join(th[1], 0); + pthread_join(th[2], 0); + pthread_join(th[3], 0); + return 0; + } + +Build as: + + cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread + +Run as: + + while keyctl-race; do :; done + +as it may need several iterations to crash the kernel. The crash can be +summarised as: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: [] user_read+0x56/0xa3 + ... + Call Trace: + [] keyctl_read_key+0xb6/0xd7 + [] SyS_keyctl+0x83/0xe0 + [] entry_SYSCALL_64_fastpath+0x12/0x6f + +Reported-by: Dmitry Vyukov +Signed-off-by: David Howells +--- + security/keys/keyctl.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index fb111eafcb89..1c3872aeed14 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = key_validate(key); +- if (ret == 0) { +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* read the data with the semaphore held (since we +- * might sleep) */ +- down_read(&key->sem); ++ ret = -EOPNOTSUPP; ++ if (key->type->read) { ++ /* Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ */ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) + ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); +- } ++ up_read(&key->sem); + } + + error2: +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index ad7711998..2eab78d22 100644 --- a/kernel.spec +++ b/kernel.spec @@ -597,6 +597,9 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #rhbz 1288687 Patch572: alua_fix.patch +#CVE-2015-7550 rhbz 1291197 1291198 +Patch575: KEYS-Fix-race-between-read-and-revoke.patch + # END OF PATCH DEFINITIONS %endif @@ -2040,6 +2043,9 @@ fi # # %changelog +* Mon Dec 14 2015 Josh Boyer +- CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198) + * Fri Dec 11 2015 Laura Abbott - 4.4.0-0.rc4.git4.1 - Linux v4.4-rc4-113-g0bd0f1e