forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/security/keys
History
David Howells db1a0b94ba KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring 
commit 3d96406c7d upstream.

Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].

This results in the following oops:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
  IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
  ...
  Call Trace:
   [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
   [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
   [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b

if the parent process has no session keyring.

If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.

To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.

Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-09-26 17:21:30 -07:00
..
compat.c KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] 2009-09-02 21:29:22 +10:00
gc.c KEYS: Have the garbage collector set its timer for live expired keys 2009-09-23 11:03:47 -07:00
internal.h KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] 2009-09-02 21:29:22 +10:00
key.c KEYS: Fix garbage collector 2009-09-15 09:11:02 +10:00
keyctl.c KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring 2010-09-26 17:21:30 -07:00
keyring.c KEYS: find_keyring_by_name() can gain access to a freed keyring 2010-07-05 11:11:21 -07:00
Makefile KEYS: Add garbage collection for dead, revoked and expired keys. [try #6] 2009-09-02 21:29:11 +10:00
permission.c keys: consider user namespace in key_permission 2009-02-27 12:35:09 +11:00
proc.c KEYS: Do some whitespace cleanups [try #6] 2009-09-02 21:29:16 +10:00
process_keys.c KEYS: Return more accurate error codes 2010-07-05 11:11:20 -07:00
request_key.c keys: the request_key() syscall should link an existing key to the dest keyring 2010-05-12 14:57:01 -07:00
request_key_auth.c CRED: Inaugurate COW credentials 2008-11-14 10:39:23 +11:00
sysctl.c KEYS: Add garbage collection for dead, revoked and expired keys. [try #6] 2009-09-02 21:29:11 +10:00
user_defined.c [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00