Add fix for CVE-2010-2960: keyctl_session_to_parent NULL deref system crash
This commit is contained in:
parent
3ff22b9f26
commit
b9c237fd69
|
@ -778,6 +778,8 @@ Patch12517: flexcop-fix-xlate_proc_name-warning.patch
|
|||
|
||||
Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
||||
Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||
Patch12522: keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||
Patch12523: keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1464,6 +1466,10 @@ ApplyPatch acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
|
|||
# this went in 2.6.35-stable
|
||||
ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2089,6 +2095,7 @@ fi
|
|||
- acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch:
|
||||
another possible fix for suspend/resume problems.
|
||||
- From 2.6.35.4: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
|
||||
- Add fix for CVE-2010-2960: keyctl_session_to_parent NULL deref system crash
|
||||
|
||||
* Fri Sep 03 2010 Kyle McMartin <kmcmartin@redhat.com>
|
||||
- sanity-check-bond-proc_entry.patch (rhbz#604630)
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
|
||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
||||
of the parent process's session keyring whether or not the parent has a session
|
||||
keyring [CVE-2010-2960].
|
||||
|
||||
A program like the following:
|
||||
|
||||
#include <unistd.h>
|
||||
#include <keyutils.h>
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
keyctl(KEYCTL_SESSION_TO_PARENT);
|
||||
}
|
||||
|
||||
can be used to trigger the following bug report:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
if there is no parent process.
|
||||
|
||||
If the system is using pam_keyinit then it mostly protected against this as all
|
||||
processes derived from a login will have inherited the session keyring created
|
||||
by pam_keyinit during the log in procedure.
|
||||
|
||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
|
||||
security/keys/keyctl.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index 3868c67..60924f6 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
|
||||
goto not_permitted;
|
||||
|
||||
/* the keyrings must have the same UID */
|
||||
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
||||
+ if ((pcred->tgcred->session_keyring &&
|
||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
||||
goto not_permitted;
|
||||
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
|
||||
There's an protected access to the parent process's credentials in the middle
|
||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
||||
|
||||
===================================================
|
||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
||||
---------------------------------------------------
|
||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
||||
|
||||
other info that might help us debug this:
|
||||
|
||||
rcu_scheduler_active = 1, debug_locks = 0
|
||||
1 lock held by keyctl-session-/2137:
|
||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
||||
|
||||
stack backtrace:
|
||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
||||
Call Trace:
|
||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
The code should take the RCU read lock to make sure the parents credentials
|
||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
|
||||
security/keys/keyctl.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index b2b0998..3868c67 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
||||
keyring_r = NULL;
|
||||
|
||||
me = current;
|
||||
+ rcu_read_lock();
|
||||
write_lock_irq(&tasklist_lock);
|
||||
|
||||
parent = me->real_parent;
|
||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
||||
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
if (oldcred)
|
||||
put_cred(oldcred);
|
||||
return 0;
|
||||
@@ -1327,6 +1329,7 @@ already_same:
|
||||
ret = 0;
|
||||
not_permitted:
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
put_cred(cred);
|
||||
return ret;
|
||||
|
||||
|
Loading…
Reference in New Issue