Fix 3 CVEs
/dev/sequencer open failure is not handled correctly (CVE-2010-3080) NULL deref and panic in irda (CVE-2010-2954) keyctl_session_to_parent NULL deref system crash (CVE-2010-2960)
This commit is contained in:
parent
14525abb6d
commit
db056c27c3
|
@ -0,0 +1,53 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
|
||||
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
|
||||
|
||||
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
|
||||
|
||||
The error handling in snd_seq_oss_open() has several bad codes that
|
||||
do dereferecing released pointers and double-free of kmalloc'ed data.
|
||||
The object dp is release in free_devinfo() that is called via
|
||||
private_free callback. The rest shouldn't touch this object any more.
|
||||
|
||||
The patch changes delete_port() to call kfree() in any case, and gets
|
||||
rid of unnecessary calls of destructors in snd_seq_oss_open().
|
||||
|
||||
Fixes CVE-2010-3080.
|
||||
|
||||
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
|
||||
index 6857122..69cd7b3 100644
|
||||
--- a/sound/core/seq/oss/seq_oss_init.c
|
||||
+++ b/sound/core/seq/oss/seq_oss_init.c
|
||||
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
|
||||
return 0;
|
||||
|
||||
_error:
|
||||
- snd_seq_oss_writeq_delete(dp->writeq);
|
||||
- snd_seq_oss_readq_delete(dp->readq);
|
||||
snd_seq_oss_synth_cleanup(dp);
|
||||
snd_seq_oss_midi_cleanup(dp);
|
||||
- delete_port(dp);
|
||||
delete_seq_queue(dp->queue);
|
||||
- kfree(dp);
|
||||
+ delete_port(dp);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
|
||||
static int
|
||||
delete_port(struct seq_oss_devinfo *dp)
|
||||
{
|
||||
- if (dp->port < 0)
|
||||
+ if (dp->port < 0) {
|
||||
+ kfree(dp);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
debug_printk(("delete_port %i\n", dp->port));
|
||||
return snd_seq_event_port_detach(dp->cseq, dp->port);
|
|
@ -0,0 +1,35 @@
|
|||
From: David S. Miller <davem@davemloft.net>
|
||||
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
|
||||
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
|
||||
|
||||
irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
|
||||
If irda_open_tsap() fails, the irda_bind() code tries to destroy
|
||||
the ->ias_obj object by hand, but does so wrongly.
|
||||
|
||||
In particular, it fails to a) release the hashbin attached to the
|
||||
object and b) reset the self->ias_obj pointer to NULL.
|
||||
|
||||
Fix both problems by using irias_delete_object() and explicitly
|
||||
setting self->ias_obj to NULL, just as irda_release() does.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index 79986a6..fd55b51 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
||||
|
||||
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
|
||||
if (err < 0) {
|
||||
- kfree(self->ias_obj->name);
|
||||
- kfree(self->ias_obj);
|
||||
+ irias_delete_object(self->ias_obj);
|
||||
+ self->ias_obj = NULL;
|
||||
goto out;
|
||||
}
|
||||
|
22
kernel.spec
22
kernel.spec
|
@ -739,6 +739,14 @@ Patch12520: execve-improve-interactivity-with-large-arguments.patch
|
|||
Patch12521: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
Patch12522: setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
Patch12530: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2954
|
||||
Patch12540: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
# CVE-2010-2960
|
||||
Patch12550: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
Patch12551: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1368,6 +1376,14 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
|||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-3080
|
||||
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
|
||||
# CVE-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -1955,6 +1971,12 @@ fi
|
|||
|
||||
%changelog
|
||||
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.35.4-28
|
||||
- Fix 3 CVEs:
|
||||
/dev/sequencer open failure is not handled correctly (CVE-2010-3080)
|
||||
NULL deref and panic in irda (CVE-2010-2954)
|
||||
keyctl_session_to_parent NULL deref system crash (CVE-2010-2960)
|
||||
|
||||
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Fix DOS with large argument lists.
|
||||
|
||||
* Tue Sep 14 2010 Kyle McMartin <kyle@redhat.com>
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
|
||||
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
|
||||
|
||||
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
|
||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
||||
of the parent process's session keyring whether or not the parent has a session
|
||||
keyring [CVE-2010-2960].
|
||||
|
||||
This results in the following oops:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
if the parent process has no session keyring.
|
||||
|
||||
If the system is using pam_keyinit then it mostly protected against this as all
|
||||
processes derived from a login will have inherited the session keyring created
|
||||
by pam_keyinit during the log in procedure.
|
||||
|
||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index 3868c67..60924f6 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
|
||||
goto not_permitted;
|
||||
|
||||
/* the keyrings must have the same UID */
|
||||
- if (pcred->tgcred->session_keyring->uid != mycred->euid ||
|
||||
+ if ((pcred->tgcred->session_keyring &&
|
||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
||||
goto not_permitted;
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
|
||||
Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
|
||||
|
||||
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
|
||||
There's an protected access to the parent process's credentials in the middle
|
||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
||||
|
||||
===================================================
|
||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
||||
---------------------------------------------------
|
||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
||||
|
||||
other info that might help us debug this:
|
||||
|
||||
rcu_scheduler_active = 1, debug_locks = 0
|
||||
1 lock held by keyctl-session-/2137:
|
||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
||||
|
||||
stack backtrace:
|
||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
||||
Call Trace:
|
||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
The code should take the RCU read lock to make sure the parents credentials
|
||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index b2b0998..3868c67 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
||||
keyring_r = NULL;
|
||||
|
||||
me = current;
|
||||
+ rcu_read_lock();
|
||||
write_lock_irq(&tasklist_lock);
|
||||
|
||||
parent = me->real_parent;
|
||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
||||
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
if (oldcred)
|
||||
put_cred(oldcred);
|
||||
return 0;
|
||||
@@ -1327,6 +1329,7 @@ already_same:
|
||||
ret = 0;
|
||||
not_permitted:
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
put_cred(cred);
|
||||
return ret;
|
||||
|
Loading…
Reference in New Issue