[linux] 03/11: KEYS: Prevent user access to keyrings whose names start with '.'
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 26 23:25:01 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 22b55b25fe9b47fdc2182b730d29fc44d9bf8892
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 26 23:15:55 2017 +0100
KEYS: Prevent user access to keyrings whose names start with '.'
This was mostly fixed without a CVE, but with one case missed which is
designated CVE-2016-9604.
---
debian/changelog | 4 ++
...ow-keyrings-beginning-with-.-to-be-joined.patch | 76 ++++++++++++++++++++++
...ate-eperm-for-a-key-type-name-beginning-w.patch | 39 +++++++++++
...special-dot-prefixed-keyring-name-bug-fix.patch | 49 ++++++++++++++
debian/patches/series | 3 +
5 files changed, 171 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f38928a..22e59e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -173,6 +173,10 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
* USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
+ * KEYS: special dot prefixed keyring name bug fix
+ * KEYS: Reinstate EPERM for a key type name beginning with a '.'
+ * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
+ (CVE-2016-9604)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Mar 2017 23:12:35 +0000
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
new file mode 100644
index 0000000..496bd33
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
@@ -0,0 +1,76 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 18 Apr 2017 15:31:07 +0100
+Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
+ keyrings
+Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
+
+This fixes CVE-2016-9604.
+
+Keyrings whose name begin with a '.' are special internal keyrings and so
+userspace isn't allowed to create keyrings by this name to prevent
+shadowing. However, the patch that added the guard didn't fix
+KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
+it can also subscribe to them as a session keyring if they grant SEARCH
+permission to the user.
+
+This, for example, allows a root process to set .builtin_trusted_keys as
+its session keyring, at which point it has full access because now the
+possessor permissions are added. This permits root to add extra public
+keys, thereby bypassing module verification.
+
+This also affects kexec and IMA.
+
+This can be tested by (as root):
+
+ keyctl session .builtin_trusted_keys
+ keyctl add user a a @s
+ keyctl list @s
+
+which on my test box gives me:
+
+ 2 keys in keyring:
+ 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
+ 801382539: --alswrv 0 0 user: a
+
+
+Fix this by rejecting names beginning with a '.' in the keyctl.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+cc: linux-ima-devel at lists.sourceforge.net
+cc: stable at vger.kernel.org
+---
+ security/keys/keyctl.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -263,7 +263,8 @@ error:
+ * Create and join an anonymous session keyring or join a named session
+ * keyring, creating it if necessary. A named session keyring must have Search
+ * permission for it to be joined. Session keyrings without this permit will
+- * be skipped over.
++ * be skipped over. It is not permitted for userspace to create or join
++ * keyrings whose name begin with a dot.
+ *
+ * If successful, the ID of the joined session keyring will be returned.
+ */
+@@ -280,12 +281,16 @@ long keyctl_join_session_keyring(const c
+ ret = PTR_ERR(name);
+ goto error;
+ }
++
++ ret = -EPERM;
++ if (name[0] == '.')
++ goto error_name;
+ }
+
+ /* join the session */
+ ret = join_session_keyring(name);
++error_name:
+ kfree(name);
+-
+ error:
+ return ret;
+ }
diff --git a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
new file mode 100644
index 0000000..31c3553
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
@@ -0,0 +1,39 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 16 Sep 2014 17:29:03 +0100
+Subject: KEYS: Reinstate EPERM for a key type name beginning with a '.'
+Origin: https://git.kernel.org/linus/54e2c2c1a9d6cbb270b0999a38545fa9a69bee43
+
+Reinstate the generation of EPERM for a key type name beginning with a '.' in
+a userspace call. Types whose name begins with a '.' are internal only.
+
+The test was removed by:
+
+ commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
+ Author: Mimi Zohar <zohar at linux.vnet.ibm.com>
+ Date: Thu May 22 14:02:23 2014 -0400
+ Subject: KEYS: special dot prefixed keyring name bug fix
+
+I think we want to keep the restriction on type name so that userspace can't
+add keys of a special internal type.
+
+Note that removal of the test causes several of the tests in the keyutils
+testsuite to fail.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Vivek Goyal <vgoyal at redhat.com>
+cc: Mimi Zohar <zohar at linux.vnet.ibm.com>
+---
+ security/keys/keyctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -35,6 +35,8 @@ static int key_get_type_from_user(char *
+ return ret;
+ if (ret == 0 || ret >= len)
+ return -EINVAL;
++ if (type[0] == '.')
++ return -EPERM;
+ type[len - 1] = '\0';
+ return 0;
+ }
diff --git a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
new file mode 100644
index 0000000..16bb626
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
@@ -0,0 +1,49 @@
+From: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Date: Thu, 22 May 2014 14:02:23 -0400
+Subject: KEYS: special dot prefixed keyring name bug fix
+Origin: https://git.kernel.org/linus/a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
+
+Dot prefixed keyring names are supposed to be reserved for the
+kernel, but add_key() calls key_get_type_from_user(), which
+incorrectly verifies the 'type' field, not the 'description' field.
+This patch verifies the 'description' field isn't dot prefixed,
+when creating a new keyring, and removes the dot prefix test in
+key_get_type_from_user().
+
+Changelog v6:
+- whitespace and other cleanup
+
+Changelog v5:
+- Only prevent userspace from creating a dot prefixed keyring, not
+ regular keys - Dmitry
+
+Reported-by: Dmitry Kasatkin <d.kasatkin at samsung.com>
+Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Acked-by: David Howells <dhowells at redhat.com>
+[bwh: Backported to 3.2: adjust context, indentation]
+---
+ security/keys/keyctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -35,8 +35,6 @@ static int key_get_type_from_user(char *
+ return ret;
+ if (ret == 0 || ret >= len)
+ return -EINVAL;
+- if (type[0] == '.')
+- return -EPERM;
+ type[len - 1] = '\0';
+ return 0;
+ }
+@@ -75,6 +73,10 @@ SYSCALL_DEFINE5(add_key, const char __us
+ if (IS_ERR(description)) {
+ ret = PTR_ERR(description);
+ goto error;
++ } else if ((description[0] == '.') &&
++ (strncmp(type, "keyring", 7) == 0)) {
++ ret = -EPERM;
++ goto error2;
+ }
+
+ /* pull the payload in if one was supplied */
diff --git a/debian/patches/series b/debian/patches/series
index 96e71f7..36dc541 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1108,6 +1108,9 @@ bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
+bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
+bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
+bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list