From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Yevgeny Pats <yevgeny@perception-point.io>,
David Howells <dhowells@redhat.com>,
Don Zickus <dzickus@redhat.com>,
Prarit Bhargava <prarit@redhat.com>,
Jarod Wilson <jarod@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 3.10 35/35] KEYS: Fix keyring ref leak in join_session_keyring()
Date: Wed, 20 Jan 2016 14:01:05 -0800 [thread overview]
Message-ID: <20160120211955.574221914@linuxfoundation.org> (raw)
In-Reply-To: <20160120211951.234493363@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yevgeny Pats <yevgeny@perception-point.io>
commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 upstream.
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/process_keys.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -792,6 +792,7 @@ long join_session_keyring(const char *na
ret = PTR_ERR(keyring);
goto error2;
} else if (keyring == new->session_keyring) {
+ key_put(keyring);
ret = 0;
goto error2;
}
next prev parent reply other threads:[~2016-01-20 22:15 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-20 22:00 [PATCH 3.10 00/35] 3.10.95-stable review Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 01/35] unix: avoid use-after-free in ep_remove_wait_queue Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 02/35] sctp: translate host order to network order when setting a hmacid Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 03/35] snmp: Remove duplicate OUTMCAST stat increment Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 05/35] tcp: md5: fix lockdep annotation Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 06/35] tcp: initialize tp->copied_seq in case of cross SYN connection Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 07/35] net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 08/35] net: ipmr: fix static mfc/dev leaks on table destruction Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 09/35] net: ip6mr: " Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 10/35] broadcom: fix PHY_ID_BCM5481 entry in the id table Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 11/35] ipv6: distinguish frag queues by device for multicast and link-local packets Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 12/35] ipv6: sctp: implement sctp_v6_destroy_sock() Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 13/35] Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 14/35] ext4, jbd2: ensure entering into panic after recording an error in superblock Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 15/35] firewire: ohci: fix JMicron JMB38x IT context discovery Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 16/35] nfs4: start callback_ident at idr 1 Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 17/35] nfs: if we have no valid attrs, then dont declare the attribute cache valid Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 18/35] USB: cdc_acm: Ignore Infineon Flash Loader utility Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 19/35] USB: cp210x: Remove CP2110 ID from compatibility list Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 20/35] USB: add quirk for devices with broken LPM Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 21/35] USB: whci-hcd: add check for dma mapping error Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 22/35] usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 23/35] gre6: allow to update all parameters via rtnl Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 24/35] atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 25/35] sctp: update the netstamp_needed counter when copying sockets Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 26/35] ipv6: sctp: clone options to avoid use after free Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 28/35] sh_eth: fix kernel oops in skb_put() Greg Kroah-Hartman
2016-01-20 22:00 ` [PATCH 3.10 29/35] pptp: verify sockaddr_len in pptp_bind() and pptp_connect() Greg Kroah-Hartman
2016-01-20 22:01 ` [PATCH 3.10 30/35] bluetooth: Validate socket address length in sco_sock_bind() Greg Kroah-Hartman
2016-01-20 22:01 ` [PATCH 3.10 31/35] af_unix: Revert lock_interruptible in stream receive code Greg Kroah-Hartman
2016-01-20 22:01 ` [PATCH 3.10 32/35] KEYS: Fix race between key destruction and finding a keyring by name Greg Kroah-Hartman
2016-01-20 22:01 ` [PATCH 3.10 33/35] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring Greg Kroah-Hartman
2016-01-20 22:01 ` [PATCH 3.10 34/35] KEYS: Fix race between read and revoke Greg Kroah-Hartman
2016-01-20 22:01 ` Greg Kroah-Hartman [this message]
2016-01-20 23:14 ` [PATCH 3.10 00/35] 3.10.95-stable review Shuah Khan
2016-01-21 7:06 ` Willy Tarreau
2016-01-22 7:52 ` Greg Kroah-Hartman
2016-01-22 8:30 ` Willy Tarreau
2016-01-21 12:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160120211955.574221914@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=dzickus@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=jarod@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=prarit@redhat.com \
--cc=stable@vger.kernel.org \
--cc=yevgeny@perception-point.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.