rpms/kernel/F-12 keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch, NONE, 1.1 netlink-fix-typo-in-initialization.patch, NONE, 1.1 kernel.spec, 1.1877, 1.1878
Chuck Ebbert
cebbert at fedoraproject.org
Thu Oct 22 21:58:44 UTC 2009
- Previous message (by thread): rpms/kernel/F-11 keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch, NONE, 1.1 kernel.spec, 1.1771, 1.1772
- Next message (by thread): rpms/zikula-module-Polls/devel import.log, NONE, 1.1 zikula-module-Polls.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7383
Modified Files:
kernel.spec
Added Files:
keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch
netlink-fix-typo-in-initialization.patch
Log Message:
Fix exploitable OOPS in keyring code. (CVE-2009-3624)
Fix kernel memory leak to userspace. (CVE-2009-3612)
keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch:
keyctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch ---
From: David Howells <dhowells at redhat.com>
Date: Thu, 15 Oct 2009 09:14:35 +0000 (+0100)
Subject: KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases
X-Git-Tag: v2.6.32-rc5~4
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21279cfa107af07ef985539ac0de2152b9cba5f5
KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases
The destination keyring specified to request_key() and co. is made available to
the process that instantiates the key (the slave process started by
/sbin/request-key typically). This is passed in the request_key_auth struct as
the dest_keyring member.
keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
to get the keyring to attach the newly constructed key to at the end of
instantiation. This may be given a specific keyring into which a link will be
made later, or it may be asked to find the keyring passed to request_key(). In
the former case, it returns a keyring with the refcount incremented by
lookup_user_key(); in the latter case, it returns the keyring from the
request_key_auth struct - and does _not_ increment the refcount.
The latter case will eventually result in an oops when the keyring prematurely
runs out of references and gets destroyed. The effect may take some time to
show up as the key is destroyed lazily.
To fix this, the keyring returned by get_instantiation_keyring() must always
have its refcount incremented, no matter where it comes from.
This can be tested by setting /etc/request-key.conf to:
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create * test:* * |/bin/false %u %g %d %{user:_display}
negate * * * /bin/keyctl negate %k 10 @u
and then doing:
keyctl add user _display aaaaaaaa @u
while keyctl request2 user test:x test:x @u &&
keyctl list @u;
do
keyctl request2 user test:x test:x @u;
sleep 31;
keyctl list @u;
done
which will oops eventually. Changing the negate line to have @u rather than
%S at the end is important as that forces the latter case by passing a special
keyring ID rather than an actual keyring ID.
Reported-by: Alexander Zangerl <az at bond.edu.au>
Signed-off-by: David Howells <dhowells at redhat.com>
Tested-by: Alexander Zangerl <az at bond.edu.au>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 2fb28ef..06ec722 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -873,7 +873,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
/* otherwise specify the destination keyring recorded in the
* authorisation key (any KEY_SPEC_*_KEYRING) */
if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
- *_dest_keyring = rka->dest_keyring;
+ *_dest_keyring = key_get(rka->dest_keyring);
return 0;
}
netlink-fix-typo-in-initialization.patch:
cls_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE netlink-fix-typo-in-initialization.patch ---
From: Jiri Pirko <jpirko at redhat.com>
Date: Thu, 8 Oct 2009 08:21:46 +0000 (-0700)
Subject: netlink: fix typo in initialization
X-Git-Tag: v2.6.32-rc5~13^2~33
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ad61df918c44316940404891d5082c63e79c256a
netlink: fix typo in initialization
Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
initializations in dumped data") introduced a typo in
initialization. This patch fixes this.
Signed-off-by: Jiri Pirko <jpirko at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 6a53694..7cf6c0f 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -350,7 +350,7 @@ static int tcf_fill_node(struct sk_buff *skb, struct tcf_proto *tp,
tcm = NLMSG_DATA(nlh);
tcm->tcm_family = AF_UNSPEC;
tcm->tcm__pad1 = 0;
- tcm->tcm__pad1 = 0;
+ tcm->tcm__pad2 = 0;
tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex;
tcm->tcm_parent = tp->classid;
tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1877
retrieving revision 1.1878
diff -u -p -r1.1877 -r1.1878
--- kernel.spec 22 Oct 2009 09:58:27 -0000 1.1877
+++ kernel.spec 22 Oct 2009 21:58:44 -0000 1.1878
@@ -759,6 +759,12 @@ Patch14400: acpi-pci-fix-null-pointer-de
# fix local DoS connecting to shutdown unix socket (#529626)
Patch14401: af_unix-fix-deadlock-connecting-to-shutdown-socket.patch
+# Fix exploitable OOPS in keyring code. (CVE-2009-3624)
+Patch14410: keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch
+
+# Fix kernel memory leak to userspace. (CVE-2009-3612)
+Patch14411: netlink-fix-typo-in-initialization.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1419,6 +1425,12 @@ ApplyPatch acpi-pci-fix-null-pointer-der
# fix for local DoS on AF_UNIX
ApplyPatch af_unix-fix-deadlock-connecting-to-shutdown-socket.patch
+# Fix exploitable OOPS in keyring code. (CVE-2009-3624)
+ApplyPatch keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch
+
+# Fix kernel memory leak to userspace. (CVE-2009-3612)
+ApplyPatch netlink-fix-typo-in-initialization.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2069,7 +2081,11 @@ fi
# and build.
%changelog
-* Thu Oct 22 2009 Dave Airlie <airlied at redhat.com>
+* Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com>
+- Fix exploitable OOPS in keyring code. (CVE-2009-3624)
+- Fix kernel memory leak to userspace. (CVE-2009-3612)
+
+* Thu Oct 22 2009 Dave Airlie <airlied at redhat.com> 2.6.31.5-91.rc1
- kms: fix palette
* Wed Oct 21 2009 Chuck Ebbert <cebbert at redhat.com>
- Previous message (by thread): rpms/kernel/F-11 keys-get_instantiation_keyring-should-inc-the-keyring-refcount.patch, NONE, 1.1 kernel.spec, 1.1771, 1.1772
- Next message (by thread): rpms/zikula-module-Polls/devel import.log, NONE, 1.1 zikula-module-Polls.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list