More keys fixes from upstream to fix keyctl_get_persisent crash (rhbz 1043033)
This commit is contained in:
parent
d9d571f6b2
commit
54dc996fcb
@ -634,6 +634,8 @@ Patch800: crash-driver.patch
|
||||
|
||||
# crypto/
|
||||
|
||||
Patch900: keys-fixes.patch
|
||||
|
||||
# secure boot
|
||||
Patch1000: secure-modules.patch
|
||||
Patch1001: modsign-uefi.patch
|
||||
@ -1328,6 +1330,8 @@ ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch
|
||||
# /dev/crash driver.
|
||||
ApplyPatch crash-driver.patch
|
||||
|
||||
ApplyPatch keys-fixes.patch
|
||||
|
||||
# crypto/
|
||||
|
||||
# secure boot
|
||||
@ -2200,6 +2204,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Dec 13 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- More keys fixes from upstream to fix keyctl_get_persisent crash (rhbz 1043033)
|
||||
|
||||
* Fri Dec 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git4.1
|
||||
- Linux v3.13-rc3-302-g8d27637
|
||||
|
||||
|
174
keys-fixes.patch
Normal file
174
keys-fixes.patch
Normal file
@ -0,0 +1,174 @@
|
||||
Bugzilla: 1043033
|
||||
Upstream-status: submitted for 3.13
|
||||
|
||||
From d7ec435fdd03cfee70dba934ee384acc87bd6d00 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 13 Dec 2013 15:20:19 +0000
|
||||
Subject: [PATCH 1/3] X.509: Fix certificate gathering
|
||||
|
||||
Fix the gathering of certificates from both the source tree and the build tree
|
||||
to correctly calculate the pathnames of all the certificates.
|
||||
|
||||
The problem was that if the default generated cert, signing_key.x509, didn't
|
||||
exist then it would not have a path attached and if it did, it would have a
|
||||
path attached.
|
||||
|
||||
This means that the contents of kernel/.x509.list would change between the
|
||||
first compilation in a directory and the second. After the second it would
|
||||
remain stable because the signing_key.x509 file exists.
|
||||
|
||||
The consequence was that the kernel would get relinked unconditionally on the
|
||||
second recompilation. The second recompilation would also show something like
|
||||
this:
|
||||
|
||||
X.509 certificate list changed
|
||||
CERTS kernel/x509_certificate_list
|
||||
- Including cert /home/torvalds/v2.6/linux/signing_key.x509
|
||||
AS kernel/system_certificates.o
|
||||
LD kernel/built-in.o
|
||||
|
||||
which is why the relink would happen.
|
||||
|
||||
|
||||
Unfortunately, it isn't a simple matter of just sticking a path on the front
|
||||
of the filename of the certificate in the build directory as make can't then
|
||||
work out how to build it.
|
||||
|
||||
So the path has to be prepended to the name for sorting and duplicate
|
||||
elimination and then removed for the make rule if it is in the build tree.
|
||||
|
||||
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/Makefile | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index bbaf7d5..c23bb0b 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -137,9 +137,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
|
||||
###############################################################################
|
||||
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
||||
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
|
||||
-X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
|
||||
-X509_CERTIFICATES := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
|
||||
+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
|
||||
+X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
|
||||
$(or $(realpath $(CERT)),$(CERT))))
|
||||
+X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw))
|
||||
|
||||
ifeq ($(X509_CERTIFICATES),)
|
||||
$(warning *** No X.509 certificates found ***)
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From f46a3cbbebdaa5ca7b3ab23d7b81925dbe152bcb Mon Sep 17 00:00:00 2001
|
||||
From: Kirill Tkhai <tkhai@yandex.ru>
|
||||
Date: Tue, 10 Dec 2013 22:39:57 +0400
|
||||
Subject: [PATCH 2/3] KEYS: Remove files generated when
|
||||
SYSTEM_TRUSTED_KEYRING=y
|
||||
|
||||
Always remove generated SYSTEM_TRUSTED_KEYRING files while doing make mrproper.
|
||||
|
||||
Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index c23bb0b..bc010ee 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -165,9 +165,9 @@ $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
|
||||
targets += $(obj)/.x509.list
|
||||
$(obj)/.x509.list:
|
||||
@echo $(X509_CERTIFICATES) >$@
|
||||
+endif
|
||||
|
||||
clean-files := x509_certificate_list .x509.list
|
||||
-endif
|
||||
|
||||
ifeq ($(CONFIG_MODULE_SIG),y)
|
||||
###############################################################################
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From 6bd364d82920be726c2d678e7ba9e27112686e11 Mon Sep 17 00:00:00 2001
|
||||
From: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
|
||||
Date: Fri, 13 Dec 2013 15:00:32 +0800
|
||||
Subject: [PATCH 3/3] KEYS: fix uninitialized persistent_keyring_register_sem
|
||||
|
||||
We run into this bug:
|
||||
[ 2736.063245] Unable to handle kernel paging request for data at address 0x00000000
|
||||
[ 2736.063293] Faulting instruction address: 0xc00000000037efb0
|
||||
[ 2736.063300] Oops: Kernel access of bad area, sig: 11 [#1]
|
||||
[ 2736.063303] SMP NR_CPUS=2048 NUMA pSeries
|
||||
[ 2736.063310] Modules linked in: sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6table_security ip6table_raw ip6t_REJECT iptable_nat nf_nat_ipv4 iptable_mangle iptable_security iptable_raw ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ebtable_filter ebtables ip6table_filter iptable_filter ip_tables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nf_nat nf_conntrack ip6_tables ibmveth pseries_rng nx_crypto nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc xfs libcrc32c dm_service_time sd_mod crc_t10dif crct10dif_common ibmvfc scsi_transport_fc scsi_tgt dm_mirror dm_region_hash dm_log dm_multipath dm_mod
|
||||
[ 2736.063383] CPU: 1 PID: 7128 Comm: ssh Not tainted 3.10.0-48.el7.ppc64 #1
|
||||
[ 2736.063389] task: c000000131930120 ti: c0000001319a0000 task.ti: c0000001319a0000
|
||||
[ 2736.063394] NIP: c00000000037efb0 LR: c0000000006c40f8 CTR: 0000000000000000
|
||||
[ 2736.063399] REGS: c0000001319a3870 TRAP: 0300 Not tainted (3.10.0-48.el7.ppc64)
|
||||
[ 2736.063403] MSR: 8000000000009032 <SF,EE,ME,IR,DR,RI> CR: 28824242 XER: 20000000
|
||||
[ 2736.063415] SOFTE: 0
|
||||
[ 2736.063418] CFAR: c00000000000908c
|
||||
[ 2736.063421] DAR: 0000000000000000, DSISR: 40000000
|
||||
[ 2736.063425]
|
||||
GPR00: c0000000006c40f8 c0000001319a3af0 c000000001074788 c0000001319a3bf0
|
||||
GPR04: 0000000000000000 0000000000000000 0000000000000020 000000000000000a
|
||||
GPR08: fffffffe00000002 00000000ffff0000 0000000080000001 c000000000924888
|
||||
GPR12: 0000000028824248 c000000007e00400 00001fffffa0f998 0000000000000000
|
||||
GPR16: 0000000000000022 00001fffffa0f998 0000010022e92470 0000000000000000
|
||||
GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
|
||||
GPR24: 0000000000000000 c000000000f4a828 00003ffffe527108 0000000000000000
|
||||
GPR28: c000000000f4a730 c000000000f4a828 0000000000000000 c0000001319a3bf0
|
||||
[ 2736.063498] NIP [c00000000037efb0] .__list_add+0x30/0x110
|
||||
[ 2736.063504] LR [c0000000006c40f8] .rwsem_down_write_failed+0x78/0x264
|
||||
[ 2736.063508] PACATMSCRATCH [800000000280f032]
|
||||
[ 2736.063511] Call Trace:
|
||||
[ 2736.063516] [c0000001319a3af0] [c0000001319a3b80] 0xc0000001319a3b80 (unreliable)
|
||||
[ 2736.063523] [c0000001319a3b80] [c0000000006c40f8] .rwsem_down_write_failed+0x78/0x264
|
||||
[ 2736.063530] [c0000001319a3c50] [c0000000006c1bb0] .down_write+0x70/0x78
|
||||
[ 2736.063536] [c0000001319a3cd0] [c0000000002e5ffc] .keyctl_get_persistent+0x20c/0x320
|
||||
[ 2736.063542] [c0000001319a3dc0] [c0000000002e2388] .SyS_keyctl+0x238/0x260
|
||||
[ 2736.063548] [c0000001319a3e30] [c000000000009e7c] syscall_exit+0x0/0x7c
|
||||
[ 2736.063553] Instruction dump:
|
||||
[ 2736.063556] 7c0802a6 fba1ffe8 fbc1fff0 fbe1fff8 7cbd2b78 7c9e2378 7c7f1b78 f8010010
|
||||
[ 2736.063566] f821ff71 e8a50008 7fa52040 40de00c0 <e8be0000> 7fbd2840 40de0094 7fbff040
|
||||
[ 2736.063579] ---[ end trace 2708241785538296 ]---
|
||||
|
||||
It's caused by uninitialized persistent_keyring_register_sem.
|
||||
|
||||
The bug was introduced by commit f36f8c75, two typos are in that commit:
|
||||
CONFIG_KEYS_KERBEROS_CACHE should be CONFIG_PERSISTENT_KEYRINGS and
|
||||
krb_cache_register_sem should be persistent_keyring_register_sem.
|
||||
|
||||
Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/user.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/kernel/user.c b/kernel/user.c
|
||||
index a3a0dbf..c006131 100644
|
||||
--- a/kernel/user.c
|
||||
+++ b/kernel/user.c
|
||||
@@ -51,9 +51,9 @@ struct user_namespace init_user_ns = {
|
||||
.owner = GLOBAL_ROOT_UID,
|
||||
.group = GLOBAL_ROOT_GID,
|
||||
.proc_inum = PROC_USER_INIT_INO,
|
||||
-#ifdef CONFIG_KEYS_KERBEROS_CACHE
|
||||
- .krb_cache_register_sem =
|
||||
- __RWSEM_INITIALIZER(init_user_ns.krb_cache_register_sem),
|
||||
+#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
+ .persistent_keyring_register_sem =
|
||||
+ __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
|
||||
#endif
|
||||
};
|
||||
EXPORT_SYMBOL_GPL(init_user_ns);
|
||||
--
|
||||
1.8.3.1
|
||||
|
Loading…
Reference in New Issue
Block a user