Re: [PATCH 4.1.y] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Chas Williams <3chas3@gmail.com>
Cc: stable@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH 4.1.y] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
Date: Wed, 20 Jan 2016 08:45:31 -0800	[thread overview]
Message-ID: <20160120164531.GB28629@kroah.com> (raw)
In-Reply-To: <1449010000-1144-1-git-send-email-3chas3@gmail.com>

On Tue, Dec 01, 2015 at 05:46:40PM -0500, Chas Williams wrote:
> From: David Howells <dhowells@redhat.com>
> 
> Commit f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 upstream.
> 
> The following sequence of commands:
> 
>     i=`keyctl add user a a @s`
>     keyctl request2 keyring foo bar @t
>     keyctl unlink $i @s
> 
> tries to invoke an upcall to instantiate a keyring if one doesn't already
> exist by that name within the user's keyring set.  However, if the upcall
> fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
> other error code.  When the key is garbage collected, the key destroy
> function is called unconditionally and keyring_destroy() uses list_empty()
> on keyring->type_data.link - which is in a union with reject_error.
> Subsequently, the kernel tries to unlink the keyring from the keyring names
> list - which oopses like this:
> 
> 	BUG: unable to handle kernel paging request at 00000000ffffff8a
> 	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
> 	...
> 	Workqueue: events key_garbage_collector
> 	...
> 	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
> 	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
> 	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
> 	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
> 	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
> 	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
> 	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
> 	...
> 	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
> 	...
> 	Call Trace:
> 	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
> 	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
> 	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
> 	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
> 	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
> 	 [<ffffffff810648ad>] kthread+0xf3/0xfb
> 	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
> 	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
> 	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
> 
> Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
> 
> The solution is to only call ->destroy() if the key was successfully
> instantiated.
> 
> Fixes CVE-2015-7872.
> 
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Tested-by: Dmitry Vyukov <dvyukov@google.com>
> [3chas3@gmail.com: backported to 4.1 due to context changes]

I took an earlier keys patch as well, which didn't require this context
change, but thanks for the backport.

greg k-h

     prev parent reply	other threads:[~2016-01-20 16:45 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-01 22:46 [PATCH 4.1.y] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring Chas Williams
2016-01-20 16:45 ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160120164531.GB28629@kroah.com \
    --to=greg@kroah.com \
    --cc=3chas3@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.