[kernel] r16295 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Sep 16 18:59:02 UTC 2010 

Author: dannf
Date: Thu Sep 16 18:58:44 2010
New Revision: 16295

Log:
* KEYS (CVE-2010-2960):
  - Fix RCU no-lock warning in keyctl_session_to_parent()
  - Fix bug in keyctl_session_to_parent() if parent has no session keyring

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/23

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Sep 16 17:33:20 2010	(r16294)
+++ dists/sid/linux-2.6/debian/changelog	Thu Sep 16 18:58:44 2010	(r16295)
@@ -21,6 +21,9 @@
     - Retruncate rax after ia32 syscall entry tracing
     - Test %rax for the syscall number, not %eax
   * wireless extensions: fix kernel heap content leak (CVE-2010-2955)
+  * KEYS (CVE-2010-2960):
+    - Fix RCU no-lock warning in keyctl_session_to_parent()
+    - Fix bug in keyctl_session_to_parent() if parent has no session keyring
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 15 Sep 2010 11:21:18 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch	Thu Sep 16 18:58:44 2010	(r16295)
@@ -0,0 +1,62 @@
+commit 9d1ac65a9698513d00e5608d93fca0c53f536c14
+Author: David Howells <dhowells at redhat.com>
+Date:   Fri Sep 10 09:59:46 2010 +0100
+
+    KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
+    
+    There's an protected access to the parent process's credentials in the middle
+    of keyctl_session_to_parent().  This results in the following RCU warning:
+    
+      ===================================================
+      [ INFO: suspicious rcu_dereference_check() usage. ]
+      ---------------------------------------------------
+      security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
+    
+      other info that might help us debug this:
+    
+      rcu_scheduler_active = 1, debug_locks = 0
+      1 lock held by keyctl-session-/2137:
+       #0:  (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
+    
+      stack backtrace:
+      Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
+      Call Trace:
+       [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
+       [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
+       [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
+       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+    
+    The code should take the RCU read lock to make sure the parents credentials
+    don't go away, even though it's holding a spinlock and has IRQ disabled.
+    
+    Signed-off-by: David Howells <dhowells at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index b2b0998..3868c67 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
+ 	keyring_r = NULL;
+ 
+ 	me = current;
++	rcu_read_lock();
+ 	write_lock_irq(&tasklist_lock);
+ 
+ 	parent = me->real_parent;
+@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
+ 	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+ 
+ 	write_unlock_irq(&tasklist_lock);
++	rcu_read_unlock();
+ 	if (oldcred)
+ 		put_cred(oldcred);
+ 	return 0;
+@@ -1327,6 +1329,7 @@ already_same:
+ 	ret = 0;
+ not_permitted:
+ 	write_unlock_irq(&tasklist_lock);
++	rcu_read_unlock();
+ 	put_cred(cred);
+ 	return ret;
+ 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch	Thu Sep 16 18:58:44 2010	(r16295)
@@ -0,0 +1,49 @@
+commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376
+Author: David Howells <dhowells at redhat.com>
+Date:   Fri Sep 10 09:59:51 2010 +0100
+
+    KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
+    
+    Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
+    of the parent process's session keyring whether or not the parent has a session
+    keyring [CVE-2010-2960].
+    
+    This results in the following oops:
+    
+      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
+      IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
+      ...
+      Call Trace:
+       [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
+       [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
+       [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
+       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+    
+    if the parent process has no session keyring.
+    
+    If the system is using pam_keyinit then it mostly protected against this as all
+    processes derived from a login will have inherited the session keyring created
+    by pam_keyinit during the log in procedure.
+    
+    To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
+    
+    Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Signed-off-by: David Howells <dhowells at redhat.com>
+    Acked-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+diff -urpN linux-source-2.6.32.orig/security/keys/keyctl.c linux-source-2.6.32/security/keys/keyctl.c
+--- linux-source-2.6.32.orig/security/keys/keyctl.c	2010-09-16 12:16:29.000000000 -0600
++++ linux-source-2.6.32/security/keys/keyctl.c	2010-09-16 12:18:32.000000000 -0600
+@@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void)
+ 		goto not_permitted;
+ 
+ 	/* the keyrings must have the same UID */
+-	if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
++	if ((pcred->tgcred->session_keyring &&
++	     pcred->tgcred->session_keyring->uid != mycred->euid) ||
+ 	    mycred->tgcred->session_keyring->uid != mycred->euid)
+ 		goto not_permitted;
+ 

Modified: dists/sid/linux-2.6/debian/patches/series/23
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/23	Thu Sep 16 17:33:20 2010	(r16294)
+++ dists/sid/linux-2.6/debian/patches/series/23	Thu Sep 16 18:58:44 2010	(r16295)
@@ -12,3 +12,5 @@
 + bugfix/all/compat-make-compat_alloc_user_space-incorporate-the-access_ok.patch
 + bugfix/x86/compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
 + bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch
++ bugfix/all/keys-fix-RCU-no-lock-warning-in-keyctl_session_to_parent.patch
++ bugfix/all/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch

More information about the Kernel-svn-changes mailing list