diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-07 12:56:46 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-07 12:56:50 -0500 |
| commit | 0ace95ceecdccb5f3ea208b907e0d99e3219dc54 (patch) | |
| tree | 9a6a12938cf345adb6ee88c6b9a8e6f4a36d22d5 | |
| parent | f5e13a9223c4f8e3e8fb11636a7623958beac293 (diff) | |
| download | kernel-0ace95ceecdccb5f3ea208b907e0d99e3219dc54.tar.gz kernel-0ace95ceecdccb5f3ea208b907e0d99e3219dc54.tar.xz kernel-0ace95ceecdccb5f3ea208b907e0d99e3219dc54.zip | |
CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
| -rw-r--r-- | KEYS-close-race-between-key-lookup-and-freeing.patch | 43 | ||||
| -rw-r--r-- | kernel.spec | 7 |
2 files changed, 50 insertions, 0 deletions
diff --git a/KEYS-close-race-between-key-lookup-and-freeing.patch b/KEYS-close-race-between-key-lookup-and-freeing.patch new file mode 100644 index 00000000..7994e2f3 --- /dev/null +++ b/KEYS-close-race-between-key-lookup-and-freeing.patch @@ -0,0 +1,43 @@ +From: Sasha Levin <sasha.levin () oracle ! com> +Date: Mon, 29 Dec 2014 14:39:01 -0500 +Subject: [PATCH] KEYS: close race between key lookup and freeing + +When a key is being garbage collected, it's key->user would get put before +the ->destroy() callback is called, where the key is removed from it's +respective tracking structures. + +This leaves a key hanging in a semi-invalid state which leaves a window open +for a different task to try an access key->user. An example is +find_keyring_by_name() which would dereference key->user for a key that is +in the process of being garbage collected (where key->user was freed but +->destroy() wasn't called yet - so it's still present in the linked list). + +This would cause either a panic, or corrupt memory. + +Signed-off-by: Sasha Levin <sasha.levin@oracle.com> +--- + security/keys/gc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 9609a7f0faea..c7952375ac53 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) + atomic_dec(&key->user->nikeys); + +- key_user_put(key->user); +- + /* now throw away the key memory */ + if (key->type->destroy) + key->type->destroy(key); + ++ key_user_put(key->user); ++ + kfree(key->description); + + #ifdef KEY_DEBUGGING +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 35f9c0e2..de88b520 100644 --- a/kernel.spec +++ b/kernel.spec @@ -682,6 +682,9 @@ Patch26122: batman-adv-Calculate-extra-tail-size-based-on-queued.patch #CVE-2014-9419 rhbz 1177260,1177263 Patch26123: x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch +#CVE-2014-9529 rhbz 1179813 1179853 +Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1473,6 +1476,9 @@ ApplyPatch batman-adv-Calculate-extra-tail-size-based-on-queued.patch #CVE-2014-9419 rhbz 1177260,1177263 ApplyPatch x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch +#CVE-2014-9529 rhbz 1179813 1179853 +ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2348,6 +2354,7 @@ fi # || || %changelog * Wed Jan 07 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853) - Enable POWERCAP and INTEL_RAPL * Tue Jan 06 2015 Josh Boyer <jwboyer@fedoraproject.org> |