[kernel/f13/master] Add fix for CVE-2010-2960: keyctl_session_to_parent NULL deref system crash

Chuck Ebbert cebbert at fedoraproject.org
Sat Sep 4 12:14:55 UTC 2010 

commit b9c237fd69656643742b8ade88b3b5c39b7c244d
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Sat Sep 4 08:15:16 2010 -0400

    Add fix for CVE-2010-2960: keyctl_session_to_parent NULL deref system crash

 kernel.spec                                        |    7 ++
 ...o-parent-if-parent-has-no-session-keyring.patch |   57 +++++++++++++++++
 ...-lock-warning-in-keyctl-session-to-parent.patch |   64 ++++++++++++++++++++
 3 files changed, 128 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d2f47d4..92dcd4b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -778,6 +778,8 @@ Patch12517: flexcop-fix-xlate_proc_name-warning.patch
 
 Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
 Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
+Patch12522: keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
+Patch12523: keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
 
 %endif
 
@@ -1464,6 +1466,10 @@ ApplyPatch acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch
 # this went in 2.6.35-stable
 ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
 
+# CVE-2010-2960
+ApplyPatch keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
+ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2089,6 +2095,7 @@ fi
 - acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch:
   another possible fix for suspend/resume problems.
 - From 2.6.35.4: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch
+- Add fix for CVE-2010-2960: keyctl_session_to_parent NULL deref system crash
 
 * Fri Sep 03 2010 Kyle McMartin <kmcmartin at redhat.com>
 - sanity-check-bond-proc_entry.patch (rhbz#604630)
diff --git a/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch b/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
new file mode 100644
index 0000000..4e4a3ff
--- /dev/null
+++ b/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch
@@ -0,0 +1,57 @@
+From: David Howells <dhowells at redhat.com>
+Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
+
+Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
+of the parent process's session keyring whether or not the parent has a session
+keyring [CVE-2010-2960].
+
+A program like the following:
+
+	#include <unistd.h>
+	#include <keyutils.h>
+	int main(int argc, char **argv)
+	{
+		keyctl(KEYCTL_SESSION_TO_PARENT);
+	}
+
+can be used to trigger the following bug report:
+
+	BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
+	IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
+	...
+	Call Trace:
+	 [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
+	 [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
+	 [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
+	 [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+if there is no parent process.
+
+If the system is using pam_keyinit then it mostly protected against this as all
+processes derived from a login will have inherited the session keyring created
+by pam_keyinit during the log in procedure.
+
+To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+
+ security/keys/keyctl.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 3868c67..60924f6 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
+ 		goto not_permitted;
+ 
+ 	/* the keyrings must have the same UID */
+-	if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
++	if ((pcred->tgcred->session_keyring &&
++	     pcred->tgcred->session_keyring->uid != mycred->euid) ||
+ 	    mycred->tgcred->session_keyring->uid != mycred->euid)
+ 		goto not_permitted;
+ 
+
diff --git a/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch b/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
new file mode 100644
index 0000000..4a2b472
--- /dev/null
+++ b/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch
@@ -0,0 +1,64 @@
+From: David Howells <dhowells at redhat.com>
+Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
+
+There's an protected access to the parent process's credentials in the middle
+of keyctl_session_to_parent().  This results in the following RCU warning:
+
+===================================================
+[ INFO: suspicious rcu_dereference_check() usage. ]
+---------------------------------------------------
+security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 1, debug_locks = 0
+1 lock held by keyctl-session-/2137:
+ #0:  (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
+
+stack backtrace:
+Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
+Call Trace:
+ [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
+ [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
+ [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
+ [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+The code should take the RCU read lock to make sure the parents credentials
+don't go away, even though it's holding a spinlock and has IRQ disabled.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+
+ security/keys/keyctl.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index b2b0998..3868c67 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
+ 	keyring_r = NULL;
+ 
+ 	me = current;
++	rcu_read_lock();
+ 	write_lock_irq(&tasklist_lock);
+ 
+ 	parent = me->real_parent;
+@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
+ 	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+ 
+ 	write_unlock_irq(&tasklist_lock);
++	rcu_read_unlock();
+ 	if (oldcred)
+ 		put_cred(oldcred);
+ 	return 0;
+@@ -1327,6 +1329,7 @@ already_same:
+ 	ret = 0;
+ not_permitted:
+ 	write_unlock_irq(&tasklist_lock);
++	rcu_read_unlock();
+ 	put_cred(cred);
+ 	return ret;
+ 
+

More information about the scm-commits mailing list