Fix crash in add_key (rhbz 1284059)
This commit is contained in:
parent
5d464f8c52
commit
572b17832b
|
@ -0,0 +1,125 @@
|
|||
From 3b34bea74e636583d34c8e472237a0bea1e3ba93 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 24 Nov 2015 21:36:31 +0000
|
||||
Subject: [PATCH] KEYS: Fix handling of stored error in a negatively
|
||||
instantiated user key
|
||||
|
||||
If a user key gets negatively instantiated, an error code is cached in the
|
||||
payload area. A negatively instantiated key may be then be positively
|
||||
instantiated by updating it with valid data. However, the ->update key
|
||||
type method must be aware that the error code may be there.
|
||||
|
||||
The following may be used to trigger the bug in the user key type:
|
||||
|
||||
keyctl request2 user user "" @u
|
||||
keyctl add user user "a" @u
|
||||
|
||||
which manifests itself as:
|
||||
|
||||
BUG: unable to handle kernel paging request at 00000000ffffff8a
|
||||
IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
|
||||
PGD 7cc30067 PUD 0
|
||||
Oops: 0002 [#1] SMP
|
||||
Modules linked in:
|
||||
CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
|
||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
|
||||
task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
|
||||
RIP: 0010:[<ffffffff810a376f>] [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
|
||||
[<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
|
||||
RSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246
|
||||
RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
|
||||
RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
|
||||
RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
|
||||
R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
|
||||
R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
|
||||
FS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
|
||||
CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
|
||||
Stack:
|
||||
ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
|
||||
ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
|
||||
ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
|
||||
Call Trace:
|
||||
[<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
|
||||
[<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
|
||||
[< inline >] __key_update security/keys/key.c:730
|
||||
[<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
|
||||
[< inline >] SYSC_add_key security/keys/keyctl.c:125
|
||||
[<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
|
||||
[<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
|
||||
|
||||
Note the error code (-ENOKEY) in EDX.
|
||||
|
||||
A similar bug can be tripped by:
|
||||
|
||||
keyctl request2 trusted user "" @u
|
||||
keyctl add trusted user "a" @u
|
||||
|
||||
This should also affect encrypted keys - but that has to be correctly
|
||||
parameterised or it will fail with EINVAL before getting to the bit that
|
||||
will crashes.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
security/keys/encrypted-keys/encrypted.c | 2 ++
|
||||
security/keys/trusted.c | 5 ++++-
|
||||
security/keys/user_defined.c | 5 ++++-
|
||||
3 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
|
||||
index 7bed4ad7cd76..0a374a2ce030 100644
|
||||
--- a/security/keys/encrypted-keys/encrypted.c
|
||||
+++ b/security/keys/encrypted-keys/encrypted.c
|
||||
@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
|
||||
size_t datalen = prep->datalen;
|
||||
int ret = 0;
|
||||
|
||||
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
|
||||
+ return -ENOKEY;
|
||||
if (datalen <= 0 || datalen > 32767 || !prep->data)
|
||||
return -EINVAL;
|
||||
|
||||
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
|
||||
index c0594cb07ada..aeb38f1a12e7 100644
|
||||
--- a/security/keys/trusted.c
|
||||
+++ b/security/keys/trusted.c
|
||||
@@ -984,13 +984,16 @@ static void trusted_rcu_free(struct rcu_head *rcu)
|
||||
*/
|
||||
static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
|
||||
{
|
||||
- struct trusted_key_payload *p = key->payload.data;
|
||||
+ struct trusted_key_payload *p;
|
||||
struct trusted_key_payload *new_p;
|
||||
struct trusted_key_options *new_o;
|
||||
size_t datalen = prep->datalen;
|
||||
char *datablob;
|
||||
int ret = 0;
|
||||
|
||||
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
|
||||
+ return -ENOKEY;
|
||||
+ p = key->payload.data;
|
||||
if (!p->migratable)
|
||||
return -EPERM;
|
||||
if (datalen <= 0 || datalen > 32767 || !prep->data)
|
||||
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
|
||||
index 36b47bbd3d8c..7cf22260bdff 100644
|
||||
--- a/security/keys/user_defined.c
|
||||
+++ b/security/keys/user_defined.c
|
||||
@@ -120,7 +120,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
|
||||
|
||||
if (ret == 0) {
|
||||
/* attach the new data, displacing the old */
|
||||
- zap = key->payload.data;
|
||||
+ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
|
||||
+ zap = key->payload.data;
|
||||
+ else
|
||||
+ zap = NULL;
|
||||
rcu_assign_keypointer(key, upayload);
|
||||
key->expiry = 0;
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -623,6 +623,9 @@ Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch
|
|||
#CVE-2015-8374 rhbz 1286261 1286262
|
||||
Patch565: Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
|
||||
|
||||
#rhbz 1284059
|
||||
Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2067,6 +2070,7 @@ fi
|
|||
#
|
||||
%changelog
|
||||
* Mon Nov 30 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix crash in add_key (rhbz 1284059)
|
||||
- CVE-2015-8374 btrfs: info leak when truncating compressed/inlined extents (rhbz 1286261 1286262)
|
||||
|
||||
* Sun Nov 22 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
|
|
Loading…
Reference in New Issue