* [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys
@ 2015-11-18 8:14 Wang Kai
2015-11-18 8:14 ` [PATCH 1/2] KEYS: Fix race between key destruction and finding a keyring by name Wang Kai
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Wang Kai @ 2015-11-18 8:14 UTC (permalink / raw)
To: sasha.levin, jslaby, gregkh, lizf; +Cc: stable, ben, dhowells
The first patch is a bugfix for race condition.
The second patch is the fix for CVE-2015-7872.
Backport first one will make second CVE fix directly cherry-picked.
Stable 3.2.y has included these 2 patches in v3.2.73.
Stable 3.1x.y and 4.1.y can cherry-pick these 2 patches.
Stable 3.4.y can cherry-pick the backported patches in 3.2.y which
ID are below:
a6826ecbeab9c832ed742653de895ad4de61c858
KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
650f6aa8c3c805bd41c4243aadbd63558f39fd32
KEYS: Fix race between key destruction and finding a keyring by name
David Howells (2):
KEYS: Fix race between key destruction and finding a keyring by name
KEYS: Fix crash when attempt to garbage collect an uninstantiated
keyring
security/keys/gc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--
1.8.3.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] KEYS: Fix race between key destruction and finding a keyring by name
2015-11-18 8:14 [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Wang Kai
@ 2015-11-18 8:14 ` Wang Kai
2015-11-18 8:14 ` [PATCH 2/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring Wang Kai
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Wang Kai @ 2015-11-18 8:14 UTC (permalink / raw)
To: sasha.levin, jslaby, gregkh, lizf; +Cc: stable, ben, dhowells
From: David Howells <dhowells@redhat.com>
commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 upstream.
There appears to be a race between:
(1) key_gc_unused_keys() which frees key->security and then calls
keyring_destroy() to unlink the name from the name list
(2) find_keyring_by_name() which calls key_permission(), thus accessing
key->security, on a key before checking to see whether the key usage is 0
(ie. the key is dead and might be cleaned up).
Fix this by calling ->destroy() before cleaning up the core key data -
including key->security.
Reported-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/gc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 7978186..483ebdf 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -187,6 +187,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kdebug("- %u", key->serial);
key_check(key);
+ /* Throw away the key data */
+ if (key->type->destroy)
+ key->type->destroy(key);
+
security_key_free(key);
/* deal with the user's key tracking and quota */
@@ -201,10 +205,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
atomic_dec(&key->user->nikeys);
- /* now throw away the key memory */
- if (key->type->destroy)
- key->type->destroy(key);
-
key_user_put(key->user);
kfree(key->description);
--
1.8.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
2015-11-18 8:14 [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Wang Kai
2015-11-18 8:14 ` [PATCH 1/2] KEYS: Fix race between key destruction and finding a keyring by name Wang Kai
@ 2015-11-18 8:14 ` Wang Kai
2015-11-18 9:28 ` [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Jiri Slaby
2016-01-20 16:45 ` Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Wang Kai @ 2015-11-18 8:14 UTC (permalink / raw)
To: sasha.levin, jslaby, gregkh, lizf; +Cc: stable, ben, dhowells
From: David Howells <dhowells@redhat.com>
commit f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 upstream.
The following sequence of commands:
i=`keyctl add user a a @s`
keyctl request2 keyring foo bar @t
keyctl unlink $i @s
tries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set. However, if the upcall
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
other error code. When the key is garbage collected, the key destroy
function is called unconditionally and keyring_destroy() uses list_empty()
on keyring->type_data.link - which is in a union with reject_error.
Subsequently, the kernel tries to unlink the keyring from the keyring names
list - which oopses like this:
BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
...
Workqueue: events key_garbage_collector
...
RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
...
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
...
Call Trace:
[<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
[<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
[<ffffffff8105ec9b>] process_one_work+0x28e/0x547
[<ffffffff8105fd17>] worker_thread+0x26e/0x361
[<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
[<ffffffff810648ad>] kthread+0xf3/0xfb
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
[<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
[<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
Note the value in RAX. This is a 32-bit representation of -ENOKEY.
The solution is to only call ->destroy() if the key was successfully
instantiated.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
---
security/keys/gc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 483ebdf..de34c29 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -187,8 +187,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kdebug("- %u", key->serial);
key_check(key);
- /* Throw away the key data */
- if (key->type->destroy)
+ /* Throw away the key data if the key is instantiated */
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
+ key->type->destroy)
key->type->destroy(key);
security_key_free(key);
--
1.8.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys
2015-11-18 8:14 [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Wang Kai
2015-11-18 8:14 ` [PATCH 1/2] KEYS: Fix race between key destruction and finding a keyring by name Wang Kai
2015-11-18 8:14 ` [PATCH 2/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring Wang Kai
@ 2015-11-18 9:28 ` Jiri Slaby
2016-01-20 16:45 ` Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Jiri Slaby @ 2015-11-18 9:28 UTC (permalink / raw)
To: Wang Kai, sasha.levin, gregkh, lizf; +Cc: stable, ben, dhowells
On 11/18/2015, 09:14 AM, Wang Kai wrote:
> The first patch is a bugfix for race condition.
> The second patch is the fix for CVE-2015-7872.
> Backport first one will make second CVE fix directly cherry-picked.
>
> Stable 3.2.y has included these 2 patches in v3.2.73.
>
> Stable 3.1x.y and 4.1.y can cherry-pick these 2 patches.
Done for 3.12. Thanks!
--
js
suse labs
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys
2015-11-18 8:14 [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Wang Kai
` (2 preceding siblings ...)
2015-11-18 9:28 ` [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Jiri Slaby
@ 2016-01-20 16:45 ` Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2016-01-20 16:45 UTC (permalink / raw)
To: Wang Kai; +Cc: sasha.levin, jslaby, lizf, stable, ben, dhowells
On Wed, Nov 18, 2015 at 08:14:48AM +0000, Wang Kai wrote:
> The first patch is a bugfix for race condition.
> The second patch is the fix for CVE-2015-7872.
> Backport first one will make second CVE fix directly cherry-picked.
>
> Stable 3.2.y has included these 2 patches in v3.2.73.
>
> Stable 3.1x.y and 4.1.y can cherry-pick these 2 patches.
Now applied, thanks.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-20 16:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-18 8:14 [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Wang Kai
2015-11-18 8:14 ` [PATCH 1/2] KEYS: Fix race between key destruction and finding a keyring by name Wang Kai
2015-11-18 8:14 ` [PATCH 2/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring Wang Kai
2015-11-18 9:28 ` [request for stable 3.x 4.1 inclusion][PATCH 0/2] fix for security/keys Jiri Slaby
2016-01-20 16:45 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).