[kernel] r15639 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Maximilian Attems maks at alioth.debian.org
Sat May 8 17:01:27 UTC 2010 

Author: maks
Date: Sat May  8 17:00:55 2010
New Revision: 15639

Log:
KEYS: find_keyring_by_name() can gain access to a freed keyring
add CVE-2010-1437 fix from stable queue

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/13

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Fri May  7 16:45:16 2010	(r15638)
+++ dists/sid/linux-2.6/debian/changelog	Sat May  8 17:00:55 2010	(r15639)
@@ -9,6 +9,8 @@
   [ maximilian attems]
   * backport KVM: x86: Extend KVM_SET_VCPU_EVENTS with selective updates.
     (closes: #580652)
+  * KEYS: find_keyring_by_name() can gain access to a freed keyring.
+    CVE-2010-1437
 
  -- Frederik Schüler <fs at debian.org>  Wed, 05 May 2010 17:54:01 +0200
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch	Sat May  8 17:00:55 2010	(r15639)
@@ -0,0 +1,81 @@
+From 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 27 Apr 2010 13:13:08 -0700
+Subject: keys: the request_key() syscall should link an existing key to the dest keyring
+
+From: David Howells <dhowells at redhat.com>
+
+commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream.
+
+The request_key() system call and request_key_and_link() should make a
+link from an existing key to the destination keyring (if supplied), not
+just from a new key to the destination keyring.
+
+This can be tested by:
+
+	ring=`keyctl newring fred @s`
+	keyctl request2 user debug:a a
+	keyctl request user debug:a $ring
+	keyctl list $ring
+
+If it says:
+
+	keyring is empty
+
+then it didn't work.  If it shows something like:
+
+	1 key in keyring:
+	1070462727: --alswrv     0     0 user: debug:a
+
+then it did.
+
+request_key() system call is meant to recursively search all your keyrings for
+the key you desire, and, optionally, if it doesn't exist, call out to userspace
+to create one for you.
+
+If request_key() finds or creates a key, it should, optionally, create a link
+to that key from the destination keyring specified.
+
+Therefore, if, after a successful call to request_key() with a desination
+keyring specified, you see the destination keyring empty, the code didn't work
+correctly.
+
+If you see the found key in the keyring, then it did - which is what the patch
+is required for.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Cc: James Morris <jmorris at namei.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ security/keys/request_key.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -336,8 +336,10 @@ static int construct_alloc_key(struct ke
+ 
+ key_already_present:
+ 	mutex_unlock(&key_construction_mutex);
+-	if (dest_keyring)
++	if (dest_keyring) {
++		__key_link(dest_keyring, key_ref_to_ptr(key_ref));
+ 		up_write(&dest_keyring->sem);
++	}
+ 	mutex_unlock(&user->cons_lock);
+ 	key_put(key);
+ 	*_key = key = key_ref_to_ptr(key_ref);
+@@ -428,6 +430,11 @@ struct key *request_key_and_link(struct
+ 
+ 	if (!IS_ERR(key_ref)) {
+ 		key = key_ref_to_ptr(key_ref);
++		if (dest_keyring) {
++			construct_get_dest_keyring(&dest_keyring);
++			key_link(dest_keyring, key);
++			key_put(dest_keyring);
++		}
+ 	} else if (PTR_ERR(key_ref) != -EAGAIN) {
+ 		key = ERR_CAST(key_ref);
+ 	} else  {

Modified: dists/sid/linux-2.6/debian/patches/series/13
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/13	Fri May  7 16:45:16 2010	(r15638)
+++ dists/sid/linux-2.6/debian/patches/series/13	Sat May  8 17:00:55 2010	(r15639)
@@ -1,2 +1,3 @@
 + bugfix/sparc/sparc-Fix-use-of-uid16_t-and-gid16_t.patch
 + bugfix/all/KVM-x86-Extend-KVM_SET_VCPU_EVENTS-with-selective-up.patch
++ bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch

More information about the Kernel-svn-changes mailing list