diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-01-01 10:49:21 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-01-01 11:23:41 +0000 |
| commit | 4e1c1da17e075b7dbabef56d8f11b1b31f89bed9 (patch) | |
| tree | b059d35eeb962a5f40a5b417cf1a53ca79b82f9f /main/linux-grsec/keys-fixes.patch | |
| parent | a580066b5c02d154c8a4cc0acfd2a2ef8c08afb6 (diff) | |
| download | aports-4e1c1da17e075b7dbabef56d8f11b1b31f89bed9.tar.bz2 aports-4e1c1da17e075b7dbabef56d8f11b1b31f89bed9.tar.xz | |
main/linux-grsec: security fixes (CVE-2015-7872, CVE-2015-7885)
Diffstat (limited to 'main/linux-grsec/keys-fixes.patch')
| -rw-r--r-- | main/linux-grsec/keys-fixes.patch | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/main/linux-grsec/keys-fixes.patch b/main/linux-grsec/keys-fixes.patch new file mode 100644 index 0000000000..8ef8a0c359 --- /dev/null +++ b/main/linux-grsec/keys-fixes.patch @@ -0,0 +1,117 @@ +From f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 15 Oct 2015 17:21:37 +0100 +Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated + keyring + +The following sequence of commands: + + i=`keyctl add user a a @s` + keyctl request2 keyring foo bar @t + keyctl unlink $i @s + +tries to invoke an upcall to instantiate a keyring if one doesn't already +exist by that name within the user's keyring set. However, if the upcall +fails, the code sets keyring->type_data.reject_error to -ENOKEY or some +other error code. When the key is garbage collected, the key destroy +function is called unconditionally and keyring_destroy() uses list_empty() +on keyring->type_data.link - which is in a union with reject_error. +Subsequently, the kernel tries to unlink the keyring from the keyring names +list - which oopses like this: + + BUG: unable to handle kernel paging request at 00000000ffffff8a + IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 + ... + Workqueue: events key_garbage_collector + ... + RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88 + RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 + RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 + RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 + R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 + R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 + ... + CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 + ... + Call Trace: + [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f + [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351 + [<ffffffff8105ec9b>] process_one_work+0x28e/0x547 + [<ffffffff8105fd17>] worker_thread+0x26e/0x361 + [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8 + [<ffffffff810648ad>] kthread+0xf3/0xfb + [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 + [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70 + [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 + +Note the value in RAX. This is a 32-bit representation of -ENOKEY. + +The solution is to only call ->destroy() if the key was successfully +instantiated. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Tested-by: Dmitry Vyukov <dvyukov@google.com> +--- + security/keys/gc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 39eac1f..addf060 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + kdebug("- %u", key->serial); + key_check(key); + +- /* Throw away the key data */ +- if (key->type->destroy) ++ /* Throw away the key data if the key is instantiated */ ++ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && ++ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && ++ key->type->destroy) + key->type->destroy(key); + + security_key_free(key); +-- +cgit v0.11.2 + + +From 911b79cde95c7da0ec02f48105358a36636b7a71 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 19 Oct 2015 11:20:28 +0100 +Subject: KEYS: Don't permit request_key() to construct a new keyring + +If request_key() is used to find a keyring, only do the search part - don't +do the construction part if the keyring was not found by the search. We +don't really want keyrings in the negative instantiated state since the +rejected/negative instantiation error value in the payload is unioned with +keyring metadata. + +Now the kernel gives an error: + + request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) + +Signed-off-by: David Howells <dhowells@redhat.com> +--- + security/keys/request_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 486ef6f..0d62531 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, + + kenter(""); + ++ if (ctx->index_key.type == &key_type_keyring) ++ return ERR_PTR(-EPERM); ++ + user = key_user_lookup(current_fsuid()); + if (!user) + return ERR_PTR(-ENOMEM); +-- +cgit v0.11.2 + |