[kernel] r19913 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Mar 15 09:03:40 UTC 2013
Author: dannf
Date: Fri Mar 15 09:03:39 2013
New Revision: 19913
Log:
keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Mar 11 19:06:39 2013 (r19912)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri Mar 15 09:03:39 2013 (r19913)
@@ -1,6 +1,7 @@
linux-2.6 (2.6.32-48squeeze2) UNRELEASED; urgency=high
* USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
+ * keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
-- dann frazier <dannf at dannf.org> Mon, 11 Mar 2013 08:47:43 +0100
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch Fri Mar 15 09:03:39 2013 (r19913)
@@ -0,0 +1,68 @@
+commit 0da9dfdd2cd9889201bc6f6f43580c99165cd087
+Author: David Howells <dhowells at redhat.com>
+Date: Tue Mar 12 16:44:31 2013 +1100
+
+ keys: fix race with concurrent install_user_keyrings()
+
+ This fixes CVE-2013-1792.
+
+ There is a race in install_user_keyrings() that can cause a NULL pointer
+ dereference when called concurrently for the same user if the uid and
+ uid-session keyrings are not yet created. It might be possible for an
+ unprivileged user to trigger this by calling keyctl() from userspace in
+ parallel immediately after logging in.
+
+ Assume that we have two threads both executing lookup_user_key(), both
+ looking for KEY_SPEC_USER_SESSION_KEYRING.
+
+ THREAD A THREAD B
+ =============================== ===============================
+ ==>call install_user_keyrings();
+ if (!cred->user->session_keyring)
+ ==>call install_user_keyrings()
+ ...
+ user->uid_keyring = uid_keyring;
+ if (user->uid_keyring)
+ return 0;
+ <==
+ key = cred->user->session_keyring [== NULL]
+ user->session_keyring = session_keyring;
+ atomic_inc(&key->usage); [oops]
+
+ At the point thread A dereferences cred->user->session_keyring, thread B
+ hasn't updated user->session_keyring yet, but thread A assumes it is
+ populated because install_user_keyrings() returned ok.
+
+ The race window is really small but can be exploited if, for example,
+ thread B is interrupted or preempted after initializing uid_keyring, but
+ before doing setting session_keyring.
+
+ This couldn't be reproduced on a stock kernel. However, after placing
+ systemtap probe on 'user->session_keyring = session_keyring;' that
+ introduced some delay, the kernel could be crashed reliably.
+
+ Fix this by checking both pointers before deciding whether to return.
+ Alternatively, the test could be done away with entirely as it is checked
+ inside the mutex - but since the mutex is global, that may not be the best
+ way.
+
+ Signed-off-by: David Howells <dhowells at redhat.com>
+ Reported-by: Mateusz Guzik <mguzik at redhat.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: James Morris <james.l.morris at oracle.com>
+ [dannf: adjusted to apply to Debian's 2.6.32]
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 931cfda..75fb18c 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -56,7 +56,7 @@ int install_user_keyrings(void)
+
+ kenter("%p{%u}", user, user->uid);
+
+- if (user->uid_keyring) {
++ if (user->uid_keyring && user->session_keyring) {
+ kleave(" = 0 [exist]");
+ return 0;
+ }
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Mon Mar 11 19:06:39 2013 (r19912)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Fri Mar 15 09:03:39 2013 (r19913)
@@ -1 +1,2 @@
+ bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
++ bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
More information about the Kernel-svn-changes
mailing list