diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2016-01-19 12:45:47 -0600 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2016-01-19 12:45:47 -0600 |
commit | e5da0c6fbe422dbea9d498729424f6a1befa498a (patch) | |
tree | ecf09bd78282cdd6f9656f46aa1df5190abad90c | |
parent | 867de2c270475056b8c54e7518d53761f8fe15c7 (diff) | |
download | kernel-e5da0c6fbe422dbea9d498729424f6a1befa498a.tar.gz kernel-e5da0c6fbe422dbea9d498729424f6a1befa498a.tar.xz kernel-e5da0c6fbe422dbea9d498729424f6a1befa498a.zip |
Linux v4.4-8855-ga200dcb
-rw-r--r-- | KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch | 78 | ||||
-rw-r--r-- | config-armv7-lpae | 1 | ||||
-rw-r--r-- | config-generic | 3 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 9 | ||||
-rw-r--r-- | sources | 2 |
6 files changed, 91 insertions, 4 deletions
diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000..5eec95c62 --- /dev/null +++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,78 @@ +From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Jan 2016 10:53:31 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +RH-bugzilla: 1298036 +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cddbf2b3..7877e5cd4e23 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.5.0 + diff --git a/config-armv7-lpae b/config-armv7-lpae index 483c49960..828b13a87 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -81,3 +81,4 @@ CONFIG_GPIO_SYSCON=m # CONFIG_SND_SOC_TEGRA20_DAS is not set # CONFIG_SND_SOC_TEGRA20_SPDIF is not set # CONFIG_SND_SOC_TEGRA_RT5677 is not set +# CONFIG_DRM_OMAP is not set diff --git a/config-generic b/config-generic index f9b630382..b9109aafc 100644 --- a/config-generic +++ b/config-generic @@ -3222,6 +3222,7 @@ CONFIG_RTC_DRV_V3020=m CONFIG_RTC_DRV_DS2404=m CONFIG_RTC_DRV_STK17TA8=m # CONFIG_RTC_DRV_S35390A is not set +CONFIG_RTC_DRV_RX8010=m CONFIG_RTC_DRV_RX8581=m CONFIG_RTC_DRV_RX8025=m CONFIG_RTC_DRV_DS1286=m @@ -5256,7 +5257,7 @@ CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_STI_SAS is not set # CONFIG_SND_SOC_INNO_RK3036 is not set # CONFIG_SND_SOC_IMG is not set -# CONFIG_SND_SOC_AMD_ACP is not set +CONFIG_SND_SOC_AMD_ACP=m CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y @@ -1 +1 @@ -5807fcaa9bf7dd87241df739161c119cf78a6bc4 +a200dcb34693084e56496960d855afdeaaf9578f diff --git a/kernel.spec b/kernel.spec index 0aa0c6010..d6d1a2cd7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 5 +%define gitrev 6 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -599,6 +599,9 @@ Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch # https://patchwork.kernel.org/patch/8055301/ Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch +#CVE-2016-0728 rhbz 1296623 +Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch + # END OF PATCH DEFINITIONS %endif @@ -2044,6 +2047,10 @@ fi # # %changelog +* Tue Jan 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git6.1 +- Linux v4.4-8855-ga200dcb +- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623) + * Tue Jan 19 2016 Peter Robinson <pbrobinson@fedoraproject.org> - Fix boot on TI am33xx/omap devices @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -37c094912e7812f0a856e67aa313c9e8 patch-4.4-git5.xz +64ceedc19f6080bedbafdc1321d9ac95 patch-4.4-git6.xz |