[kernel] r15639 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Maximilian Attems
maks at alioth.debian.org
Sat May 8 17:01:27 UTC 2010
Author: maks
Date: Sat May 8 17:00:55 2010
New Revision: 15639
Log:
KEYS: find_keyring_by_name() can gain access to a freed keyring
add CVE-2010-1437 fix from stable queue
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/13
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri May 7 16:45:16 2010 (r15638)
+++ dists/sid/linux-2.6/debian/changelog Sat May 8 17:00:55 2010 (r15639)
@@ -9,6 +9,8 @@
[ maximilian attems]
* backport KVM: x86: Extend KVM_SET_VCPU_EVENTS with selective updates.
(closes: #580652)
+ * KEYS: find_keyring_by_name() can gain access to a freed keyring.
+ CVE-2010-1437
-- Frederik Schüler <fs at debian.org> Wed, 05 May 2010 17:54:01 +0200
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch Sat May 8 17:00:55 2010 (r15639)
@@ -0,0 +1,81 @@
+From 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 27 Apr 2010 13:13:08 -0700
+Subject: keys: the request_key() syscall should link an existing key to the dest keyring
+
+From: David Howells <dhowells at redhat.com>
+
+commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream.
+
+The request_key() system call and request_key_and_link() should make a
+link from an existing key to the destination keyring (if supplied), not
+just from a new key to the destination keyring.
+
+This can be tested by:
+
+ ring=`keyctl newring fred @s`
+ keyctl request2 user debug:a a
+ keyctl request user debug:a $ring
+ keyctl list $ring
+
+If it says:
+
+ keyring is empty
+
+then it didn't work. If it shows something like:
+
+ 1 key in keyring:
+ 1070462727: --alswrv 0 0 user: debug:a
+
+then it did.
+
+request_key() system call is meant to recursively search all your keyrings for
+the key you desire, and, optionally, if it doesn't exist, call out to userspace
+to create one for you.
+
+If request_key() finds or creates a key, it should, optionally, create a link
+to that key from the destination keyring specified.
+
+Therefore, if, after a successful call to request_key() with a desination
+keyring specified, you see the destination keyring empty, the code didn't work
+correctly.
+
+If you see the found key in the keyring, then it did - which is what the patch
+is required for.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Cc: James Morris <jmorris at namei.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ security/keys/request_key.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -336,8 +336,10 @@ static int construct_alloc_key(struct ke
+
+ key_already_present:
+ mutex_unlock(&key_construction_mutex);
+- if (dest_keyring)
++ if (dest_keyring) {
++ __key_link(dest_keyring, key_ref_to_ptr(key_ref));
+ up_write(&dest_keyring->sem);
++ }
+ mutex_unlock(&user->cons_lock);
+ key_put(key);
+ *_key = key = key_ref_to_ptr(key_ref);
+@@ -428,6 +430,11 @@ struct key *request_key_and_link(struct
+
+ if (!IS_ERR(key_ref)) {
+ key = key_ref_to_ptr(key_ref);
++ if (dest_keyring) {
++ construct_get_dest_keyring(&dest_keyring);
++ key_link(dest_keyring, key);
++ key_put(dest_keyring);
++ }
+ } else if (PTR_ERR(key_ref) != -EAGAIN) {
+ key = ERR_CAST(key_ref);
+ } else {
Modified: dists/sid/linux-2.6/debian/patches/series/13
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/13 Fri May 7 16:45:16 2010 (r15638)
+++ dists/sid/linux-2.6/debian/patches/series/13 Sat May 8 17:00:55 2010 (r15639)
@@ -1,2 +1,3 @@
+ bugfix/sparc/sparc-Fix-use-of-uid16_t-and-gid16_t.patch
+ bugfix/all/KVM-x86-Extend-KVM_SET_VCPU_EVENTS-with-selective-up.patch
++ bugfix/all/keys-the-request_key-syscall-should-link-an-existing-key-to-the-dest-keyring.patch
More information about the Kernel-svn-changes
mailing list