[kernel] r16295 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Sep 16 18:59:02 UTC 2010
Author: dannf
Date: Thu Sep 16 18:58:44 2010
New Revision: 16295
Log:
* KEYS (CVE-2010-2960):
- Fix RCU no-lock warning in keyctl_session_to_parent()
- Fix bug in keyctl_session_to_parent() if parent has no session keyring
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/23
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Sep 16 17:33:20 2010 (r16294)
+++ dists/sid/linux-2.6/debian/changelog Thu Sep 16 18:58:44 2010 (r16295)
@@ -21,6 +21,9 @@
- Retruncate rax after ia32 syscall entry tracing
- Test %rax for the syscall number, not %eax
* wireless extensions: fix kernel heap content leak (CVE-2010-2955)
+ * KEYS (CVE-2010-2960):
+ - Fix RCU no-lock warning in keyctl_session_to_parent()
+ - Fix bug in keyctl_session_to_parent() if parent has no session keyring
-- Ben Hutchings <ben at decadent.org.uk> Wed, 15 Sep 2010 11:21:18 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch Thu Sep 16 18:58:44 2010 (r16295)
@@ -0,0 +1,62 @@
+commit 9d1ac65a9698513d00e5608d93fca0c53f536c14
+Author: David Howells <dhowells at redhat.com>
+Date: Fri Sep 10 09:59:46 2010 +0100
+
+ KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
+
+ There's an protected access to the parent process's credentials in the middle
+ of keyctl_session_to_parent(). This results in the following RCU warning:
+
+ ===================================================
+ [ INFO: suspicious rcu_dereference_check() usage. ]
+ ---------------------------------------------------
+ security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 1, debug_locks = 0
+ 1 lock held by keyctl-session-/2137:
+ #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
+
+ stack backtrace:
+ Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
+ Call Trace:
+ [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
+ [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
+ [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
+ [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+ The code should take the RCU read lock to make sure the parents credentials
+ don't go away, even though it's holding a spinlock and has IRQ disabled.
+
+ Signed-off-by: David Howells <dhowells at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index b2b0998..3868c67 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
+ keyring_r = NULL;
+
+ me = current;
++ rcu_read_lock();
+ write_lock_irq(&tasklist_lock);
+
+ parent = me->real_parent;
+@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
+ set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+
+ write_unlock_irq(&tasklist_lock);
++ rcu_read_unlock();
+ if (oldcred)
+ put_cred(oldcred);
+ return 0;
+@@ -1327,6 +1329,7 @@ already_same:
+ ret = 0;
+ not_permitted:
+ write_unlock_irq(&tasklist_lock);
++ rcu_read_unlock();
+ put_cred(cred);
+ return ret;
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch Thu Sep 16 18:58:44 2010 (r16295)
@@ -0,0 +1,49 @@
+commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376
+Author: David Howells <dhowells at redhat.com>
+Date: Fri Sep 10 09:59:51 2010 +0100
+
+ KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
+
+ Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
+ of the parent process's session keyring whether or not the parent has a session
+ keyring [CVE-2010-2960].
+
+ This results in the following oops:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
+ IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
+ ...
+ Call Trace:
+ [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
+ [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
+ [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
+ [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+ if the parent process has no session keyring.
+
+ If the system is using pam_keyinit then it mostly protected against this as all
+ processes derived from a login will have inherited the session keyring created
+ by pam_keyinit during the log in procedure.
+
+ To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: David Howells <dhowells at redhat.com>
+ Acked-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+diff -urpN linux-source-2.6.32.orig/security/keys/keyctl.c linux-source-2.6.32/security/keys/keyctl.c
+--- linux-source-2.6.32.orig/security/keys/keyctl.c 2010-09-16 12:16:29.000000000 -0600
++++ linux-source-2.6.32/security/keys/keyctl.c 2010-09-16 12:18:32.000000000 -0600
+@@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void)
+ goto not_permitted;
+
+ /* the keyrings must have the same UID */
+- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
++ if ((pcred->tgcred->session_keyring &&
++ pcred->tgcred->session_keyring->uid != mycred->euid) ||
+ mycred->tgcred->session_keyring->uid != mycred->euid)
+ goto not_permitted;
+
Modified: dists/sid/linux-2.6/debian/patches/series/23
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/23 Thu Sep 16 17:33:20 2010 (r16294)
+++ dists/sid/linux-2.6/debian/patches/series/23 Thu Sep 16 18:58:44 2010 (r16295)
@@ -12,3 +12,5 @@
+ bugfix/all/compat-make-compat_alloc_user_space-incorporate-the-access_ok.patch
+ bugfix/x86/compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+ bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch
++ bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
++ bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
More information about the Kernel-svn-changes
mailing list