summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@redhat.com>2014-02-28 11:48:34 -0500
committerJosh Boyer <jwboyer@redhat.com>2014-02-28 11:48:34 -0500
commit2edcdbfc985724b57a74b996ef5cac8ca1698423 (patch)
tree45d1769fabf337f34fcb0678968ab7af82f8764f
parent2323b0271d510cc68f03f30dc43e49e461d5660a (diff)
downloadkernel-2edcdbfc985724b57a74b996ef5cac8ca1698423.tar.gz
kernel-2edcdbfc985724b57a74b996ef5cac8ca1698423.tar.xz
kernel-2edcdbfc985724b57a74b996ef5cac8ca1698423.zip
CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)
-rw-r--r--kernel.spec9
-rw-r--r--keyring-fix.patch17
2 files changed, 26 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index 6d98d6113..bca5c883c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -634,6 +634,9 @@ Patch25203: dma-debug-account-for-cachelines-and-read-only-mappings.patch
#rhbz 1056170
Patch25025: usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
+#CVE-2014-0102 rhbz 1071396
+Patch25026: keyring-fix.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1287,6 +1290,9 @@ ApplyPatch dma-debug-account-for-cachelines-and-read-only-mappings.patch
#rhbz 1056170
ApplyPatch usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
+#CVE-2014-0102 rhbz 1071396
+ApplyPatch keyring-fix.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2066,6 +2072,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Feb 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)
+
* Thu Feb 27 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc4.git2.1
- Linux v3.14-rc4-45-gd2a0476
diff --git a/keyring-fix.patch b/keyring-fix.patch
new file mode 100644
index 000000000..6539144e4
--- /dev/null
+++ b/keyring-fix.patch
@@ -0,0 +1,17 @@
+@@ -, +, @@
+---
+--- a/security/keys/keyring.c
++++ a/security/keys/keyring.c
+@@ -1000,7 +1000,11 @@ static int keyring_detect_cycle_iterator(const void *object,
+
+ kenter("{%d}", key->serial);
+
+- BUG_ON(key != ctx->match_data);
++ /* We might get a keyring with matching index-key that is nonetheless a
++ * different keyring. */
++ if (key != ctx->match_data)
++ return 0;
++
+ ctx->result = ERR_PTR(-EDEADLK);
+ return 1;
+ }