[kernel] r19913 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Mar 15 09:03:40 UTC 2013 

Author: dannf
Date: Fri Mar 15 09:03:39 2013
New Revision: 19913

Log:
keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Mar 11 19:06:39 2013	(r19912)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Fri Mar 15 09:03:39 2013	(r19913)
@@ -1,6 +1,7 @@
 linux-2.6 (2.6.32-48squeeze2) UNRELEASED; urgency=high
 
   * USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
+  * keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
 
  -- dann frazier <dannf at dannf.org>  Mon, 11 Mar 2013 08:47:43 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch	Fri Mar 15 09:03:39 2013	(r19913)
@@ -0,0 +1,68 @@
+commit 0da9dfdd2cd9889201bc6f6f43580c99165cd087
+Author: David Howells <dhowells at redhat.com>
+Date:   Tue Mar 12 16:44:31 2013 +1100
+
+    keys: fix race with concurrent install_user_keyrings()
+    
+    This fixes CVE-2013-1792.
+    
+    There is a race in install_user_keyrings() that can cause a NULL pointer
+    dereference when called concurrently for the same user if the uid and
+    uid-session keyrings are not yet created.  It might be possible for an
+    unprivileged user to trigger this by calling keyctl() from userspace in
+    parallel immediately after logging in.
+    
+    Assume that we have two threads both executing lookup_user_key(), both
+    looking for KEY_SPEC_USER_SESSION_KEYRING.
+    
+    	THREAD A			THREAD B
+    	===============================	===============================
+    					==>call install_user_keyrings();
+    	if (!cred->user->session_keyring)
+    	==>call install_user_keyrings()
+    					...
+    					user->uid_keyring = uid_keyring;
+    	if (user->uid_keyring)
+    		return 0;
+    	<==
+    	key = cred->user->session_keyring [== NULL]
+    					user->session_keyring = session_keyring;
+    	atomic_inc(&key->usage); [oops]
+    
+    At the point thread A dereferences cred->user->session_keyring, thread B
+    hasn't updated user->session_keyring yet, but thread A assumes it is
+    populated because install_user_keyrings() returned ok.
+    
+    The race window is really small but can be exploited if, for example,
+    thread B is interrupted or preempted after initializing uid_keyring, but
+    before doing setting session_keyring.
+    
+    This couldn't be reproduced on a stock kernel.  However, after placing
+    systemtap probe on 'user->session_keyring = session_keyring;' that
+    introduced some delay, the kernel could be crashed reliably.
+    
+    Fix this by checking both pointers before deciding whether to return.
+    Alternatively, the test could be done away with entirely as it is checked
+    inside the mutex - but since the mutex is global, that may not be the best
+    way.
+    
+    Signed-off-by: David Howells <dhowells at redhat.com>
+    Reported-by: Mateusz Guzik <mguzik at redhat.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: James Morris <james.l.morris at oracle.com>
+    [dannf: adjusted to apply to Debian's 2.6.32]
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 931cfda..75fb18c 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -56,7 +56,7 @@ int install_user_keyrings(void)
+ 
+ 	kenter("%p{%u}", user, user->uid);
+ 
+-	if (user->uid_keyring) {
++	if (user->uid_keyring && user->session_keyring) {
+ 		kleave(" = 0 [exist]");
+ 		return 0;
+ 	}

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Mon Mar 11 19:06:39 2013	(r19912)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Fri Mar 15 09:03:39 2013	(r19913)
@@ -1 +1,2 @@
 + bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
++ bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch

More information about the Kernel-svn-changes mailing list