diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-19 11:32:18 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-20 08:39:25 -0500 |
| commit | a4a985bb9d81c306c70e0e5bf5a2e88c1827c93d (patch) | |
| tree | 09ecb1b71318b4b945467d299266d4edeb2a628c | |
| parent | 3192fefa2b25c60bbef0c65a6f8ec7f940799f23 (diff) | |
| download | kernel-a4a985bb9d81c306c70e0e5bf5a2e88c1827c93d.tar.gz kernel-a4a985bb9d81c306c70e0e5bf5a2e88c1827c93d.tar.xz kernel-a4a985bb9d81c306c70e0e5bf5a2e88c1827c93d.zip | |
CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475)
| -rw-r--r-- | KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch | 78 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 84 insertions, 0 deletions
diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000..5eec95c62 --- /dev/null +++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,78 @@ +From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Jan 2016 10:53:31 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +RH-bugzilla: 1298036 +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cddbf2b3..7877e5cd4e23 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 3909e8259..6169a555d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -603,6 +603,9 @@ Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch +#CVE-2016-0728 rhbz 1296623 1297475 +Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch + # END OF PATCH DEFINITIONS %endif @@ -2046,6 +2049,9 @@ fi # # %changelog +* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475) + * Thu Jan 14 2016 Laura Abbott <labbott@fedoraproject.org> - Linux v4.4 |