CVE-2014-3631 Add patch to fix oops on keyring gc (rhbz 1116347)
This commit is contained in:
parent
424be526da
commit
b3e4fef148
95
KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
Normal file
95
KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From 11646ff9e6874d205ab92af605db6b90fbe214d1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 9 Sep 2014 19:12:32 +0100
|
||||
Subject: [PATCH] KEYS: Fix termination condition in assoc array garbage
|
||||
collection
|
||||
|
||||
It is possible for an associative array to end up with a shortcut node at the
|
||||
root of the tree, if there are more than fan-out nodes in the tree, but they
|
||||
all crowd into the same slot in the lowest level (ie. they all have the same
|
||||
first nibble of their index keys).
|
||||
|
||||
When assoc_array_gc() returns back up the tree after scanning some leaves, it
|
||||
can fall off of the root and crash because it assumes that the back pointer
|
||||
from a shortcut (after label ascend_old_tree) must point to a normal node -
|
||||
which isn't true of a shortcut node at the root.
|
||||
|
||||
Should we find we're ascending rootwards over a shortcut, we should check to
|
||||
see if the backpointer is zero - and if it is, we have completed the scan.
|
||||
|
||||
This particular bug cannot occur if the root node is not a shortcut - ie. if
|
||||
you have fewer than 17 keys in a keyring or if you have at least two keys that
|
||||
sit into separate slots (eg. a keyring and a non keyring).
|
||||
|
||||
If we do fall off of the top of the tree, we get the following oops:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
|
||||
IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
|
||||
PGD dae15067 PUD cfc24067 PMD 0
|
||||
Oops: 0000 [#1] SMP
|
||||
Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni
|
||||
CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1
|
||||
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
|
||||
Workqueue: events key_garbage_collector
|
||||
task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000
|
||||
RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
|
||||
RSP: 0018:ffff8800aac15d40 EFLAGS: 00010206
|
||||
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0
|
||||
RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0
|
||||
RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003
|
||||
R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000
|
||||
R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001
|
||||
FS: 0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
|
||||
CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0
|
||||
Stack:
|
||||
ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70
|
||||
ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987
|
||||
ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8
|
||||
Call Trace:
|
||||
[<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30
|
||||
[<ffffffff812e3e75>] keyring_gc+0x75/0x80
|
||||
[<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0
|
||||
[<ffffffff810a67b6>] process_one_work+0x176/0x430
|
||||
[<ffffffff810a744b>] worker_thread+0x11b/0x3a0
|
||||
[<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0
|
||||
[<ffffffff810ae1a8>] kthread+0xd8/0xf0
|
||||
[<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
|
||||
[<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0
|
||||
[<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
|
||||
Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92
|
||||
RIP [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
|
||||
RSP <ffff8800aac15d40>
|
||||
CR2: 0000000000000018
|
||||
---[ end trace 1129028a088c0cbd ]---
|
||||
|
||||
Bugzilla: 1116347
|
||||
Upstream-status: ??
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
lib/assoc_array.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/assoc_array.c b/lib/assoc_array.c
|
||||
index ae146f0734eb..2404d03e251a 100644
|
||||
--- a/lib/assoc_array.c
|
||||
+++ b/lib/assoc_array.c
|
||||
@@ -1723,11 +1723,13 @@ ascend_old_tree:
|
||||
shortcut = assoc_array_ptr_to_shortcut(ptr);
|
||||
slot = shortcut->parent_slot;
|
||||
cursor = shortcut->back_pointer;
|
||||
+ if (!cursor)
|
||||
+ goto gc_complete;
|
||||
} else {
|
||||
slot = node->parent_slot;
|
||||
cursor = ptr;
|
||||
}
|
||||
- BUG_ON(!ptr);
|
||||
+ BUG_ON(!cursor);
|
||||
node = assoc_array_ptr_to_node(cursor);
|
||||
slot++;
|
||||
goto continue_node;
|
||||
--
|
||||
1.9.3
|
||||
|
@ -756,6 +756,9 @@ Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
#CVE-2014-{5206,5207} rhbz 1129662 1129669
|
||||
Patch25130: namespaces-remount-fixes.patch
|
||||
|
||||
#CVE-2014-3631 rhbz 1116347
|
||||
Patch26020: KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1454,6 +1457,9 @@ ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
#CVE-2014-{5206,5207} rhbz 1129662 1129669
|
||||
ApplyPatch namespaces-remount-fixes.patch
|
||||
|
||||
#CVE-2014-3631 rhbz 1116347
|
||||
ApplyPatch KEYS-Fix-termination-condition-in-assoc-array-garbag.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -2266,6 +2272,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Wed Sep 10 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3631 Add patch to fix oops on keyring gc (rhbz 1116347)
|
||||
|
||||
* Tue Sep 09 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.16-100
|
||||
- Linux v3.14.18
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user