Commit | Line | Data |
---|---|---|
beed3af5 MW |
1 | Copied from |
2 | https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 | |
3 | ||
4 | From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001 | |
5 | From: Yevgeny Pats <yevgeny@perception-point.io> | |
6 | Date: Tue, 19 Jan 2016 22:09:04 +0000 | |
7 | Subject: KEYS: Fix keyring ref leak in join_session_keyring() | |
8 | ||
9 | This fixes CVE-2016-0728. | |
10 | ||
11 | If a thread is asked to join as a session keyring the keyring that's already | |
12 | set as its session, we leak a keyring reference. | |
13 | ||
14 | This can be tested with the following program: | |
15 | ||
16 | #include <stddef.h> | |
17 | #include <stdio.h> | |
18 | #include <sys/types.h> | |
19 | #include <keyutils.h> | |
20 | ||
21 | int main(int argc, const char *argv[]) | |
22 | { | |
23 | int i = 0; | |
24 | key_serial_t serial; | |
25 | ||
26 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | |
27 | "leaked-keyring"); | |
28 | if (serial < 0) { | |
29 | perror("keyctl"); | |
30 | return -1; | |
31 | } | |
32 | ||
33 | if (keyctl(KEYCTL_SETPERM, serial, | |
34 | KEY_POS_ALL | KEY_USR_ALL) < 0) { | |
35 | perror("keyctl"); | |
36 | return -1; | |
37 | } | |
38 | ||
39 | for (i = 0; i < 100; i++) { | |
40 | serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, | |
41 | "leaked-keyring"); | |
42 | if (serial < 0) { | |
43 | perror("keyctl"); | |
44 | return -1; | |
45 | } | |
46 | } | |
47 | ||
48 | return 0; | |
49 | } | |
50 | ||
51 | If, after the program has run, there something like the following line in | |
52 | /proc/keys: | |
53 | ||
54 | 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty | |
55 | ||
56 | with a usage count of 100 * the number of times the program has been run, | |
57 | then the kernel is malfunctioning. If leaked-keyring has zero usages or | |
58 | has been garbage collected, then the problem is fixed. | |
59 | ||
60 | Reported-by: Yevgeny Pats <yevgeny@perception-point.io> | |
61 | Signed-off-by: David Howells <dhowells@redhat.com> | |
62 | Acked-by: Don Zickus <dzickus@redhat.com> | |
63 | Acked-by: Prarit Bhargava <prarit@redhat.com> | |
64 | Acked-by: Jarod Wilson <jarod@redhat.com> | |
65 | Signed-off-by: James Morris <james.l.morris@oracle.com> | |
66 | --- | |
67 | security/keys/process_keys.c | 1 + | |
68 | 1 file changed, 1 insertion(+) | |
69 | ||
70 | diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c | |
71 | index a3f85d2..e6d50172 100644 | |
72 | --- a/security/keys/process_keys.c | |
73 | +++ b/security/keys/process_keys.c | |
74 | @@ -794,6 +794,7 @@ long join_session_keyring(const char *name) | |
75 | ret = PTR_ERR(keyring); | |
76 | goto error2; | |
77 | } else if (keyring == new->session_keyring) { | |
78 | + key_put(keyring); | |
79 | ret = 0; | |
80 | goto error2; | |
81 | } | |
82 | -- | |
83 | cgit v0.12 | |
84 |