[kernel/f14/master] Fix 3 CVEs
Chuck Ebbert
cebbert at fedoraproject.org
Wed Sep 15 01:32:24 UTC 2010
commit db056c27c3551859c58a820b193d46d255afe6cd
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Tue Sep 14 21:31:20 2010 -0400
Fix 3 CVEs
/dev/sequencer open failure is not handled correctly (CVE-2010-3080)
NULL deref and panic in irda (CVE-2010-2954)
keyctl_session_to_parent NULL deref system crash (CVE-2010-2960)
...le-free-at-error-path-of-snd_seq_oss_open.patch | 53 ++++++++++++++++
...lean-up-self-ias_obj-on-irda_bind-failure.patch | 35 +++++++++++
kernel.spec | 22 +++++++
...o_parent-if-parent-has-no-session-keyring.patch | 50 +++++++++++++++
...-lock-warning-in-keyctl_session_to_parent.patch | 64 ++++++++++++++++++++
5 files changed, 224 insertions(+), 0 deletions(-)
---
diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
new file mode 100644
index 0000000..73e65ec
--- /dev/null
+++ b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
@@ -0,0 +1,53 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
+Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
+
+ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+
+The error handling in snd_seq_oss_open() has several bad codes that
+do dereferecing released pointers and double-free of kmalloc'ed data.
+The object dp is release in free_devinfo() that is called via
+private_free callback. The rest shouldn't touch this object any more.
+
+The patch changes delete_port() to call kfree() in any case, and gets
+rid of unnecessary calls of destructors in snd_seq_oss_open().
+
+Fixes CVE-2010-3080.
+
+Reported-and-tested-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+
+diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
+index 6857122..69cd7b3 100644
+--- a/sound/core/seq/oss/seq_oss_init.c
++++ b/sound/core/seq/oss/seq_oss_init.c
+@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
+ return 0;
+
+ _error:
+- snd_seq_oss_writeq_delete(dp->writeq);
+- snd_seq_oss_readq_delete(dp->readq);
+ snd_seq_oss_synth_cleanup(dp);
+ snd_seq_oss_midi_cleanup(dp);
+- delete_port(dp);
+ delete_seq_queue(dp->queue);
+- kfree(dp);
++ delete_port(dp);
+
+ return rc;
+ }
+@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
+ static int
+ delete_port(struct seq_oss_devinfo *dp)
+ {
+- if (dp->port < 0)
++ if (dp->port < 0) {
++ kfree(dp);
+ return 0;
++ }
+
+ debug_printk(("delete_port %i\n", dp->port));
+ return snd_seq_event_port_detach(dp->cseq, dp->port);
diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
new file mode 100644
index 0000000..7afc4df
--- /dev/null
+++ b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
@@ -0,0 +1,35 @@
+From: David S. Miller <davem at davemloft.net>
+Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
+Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
+
+irda: Correctly clean up self->ias_obj on irda_bind() failure.
+
+If irda_open_tsap() fails, the irda_bind() code tries to destroy
+the ->ias_obj object by hand, but does so wrongly.
+
+In particular, it fails to a) release the hashbin attached to the
+object and b) reset the self->ias_obj pointer to NULL.
+
+Fix both problems by using irias_delete_object() and explicitly
+setting self->ias_obj to NULL, just as irda_release() does.
+
+Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 79986a6..fd55b51 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+
+ err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ if (err < 0) {
+- kfree(self->ias_obj->name);
+- kfree(self->ias_obj);
++ irias_delete_object(self->ias_obj);
++ self->ias_obj = NULL;
+ goto out;
+ }
+
diff --git a/kernel.spec b/kernel.spec
index b93fcf1..5b19e25 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -739,6 +739,14 @@ Patch12520: execve-improve-interactivity-with-large-arguments.patch
Patch12521: execve-make-responsive-to-sigkill-with-large-arguments.patch
Patch12522: setup_arg_pages-diagnose-excessive-argument-size.patch
+# CVE-2010-3080
+Patch12530: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
+# CVE-2010-2954
+Patch12540: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+# CVE-2010-2960
+Patch12550: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
+Patch12551: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1368,6 +1376,14 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
+# CVE-2010-3080
+ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
+# CVE-2010-2954
+ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+# CVE-2010-2960
+ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
+ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1955,6 +1971,12 @@ fi
%changelog
* Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.35.4-28
+- Fix 3 CVEs:
+ /dev/sequencer open failure is not handled correctly (CVE-2010-3080)
+ NULL deref and panic in irda (CVE-2010-2954)
+ keyctl_session_to_parent NULL deref system crash (CVE-2010-2960)
+
+* Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com>
- Fix DOS with large argument lists.
* Tue Sep 14 2010 Kyle McMartin <kyle at redhat.com>
diff --git a/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch b/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
new file mode 100644
index 0000000..c920867
--- /dev/null
+++ b/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
@@ -0,0 +1,50 @@
+From: David Howells <dhowells at redhat.com>
+Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
+Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
+
+KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
+
+Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
+of the parent process's session keyring whether or not the parent has a session
+keyring [CVE-2010-2960].
+
+This results in the following oops:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
+ IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
+ ...
+ Call Trace:
+ [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
+ [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
+ [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
+ [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+if the parent process has no session keyring.
+
+If the system is using pam_keyinit then it mostly protected against this as all
+processes derived from a login will have inherited the session keyring created
+by pam_keyinit during the log in procedure.
+
+To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
+
+Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 3868c67..60924f6 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void)
+ goto not_permitted;
+
+ /* the keyrings must have the same UID */
+- if (pcred->tgcred->session_keyring->uid != mycred->euid ||
++ if ((pcred->tgcred->session_keyring &&
++ pcred->tgcred->session_keyring->uid != mycred->euid) ||
+ mycred->tgcred->session_keyring->uid != mycred->euid)
+ goto not_permitted;
+
diff --git a/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch b/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
new file mode 100644
index 0000000..5318f7e
--- /dev/null
+++ b/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
@@ -0,0 +1,64 @@
+From: David Howells <dhowells at redhat.com>
+Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
+Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
+
+KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
+
+There's an protected access to the parent process's credentials in the middle
+of keyctl_session_to_parent(). This results in the following RCU warning:
+
+ ===================================================
+ [ INFO: suspicious rcu_dereference_check() usage. ]
+ ---------------------------------------------------
+ security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 1, debug_locks = 0
+ 1 lock held by keyctl-session-/2137:
+ #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
+
+ stack backtrace:
+ Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
+ Call Trace:
+ [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
+ [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
+ [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
+ [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
+
+The code should take the RCU read lock to make sure the parents credentials
+don't go away, even though it's holding a spinlock and has IRQ disabled.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index b2b0998..3868c67 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
+ keyring_r = NULL;
+
+ me = current;
++ rcu_read_lock();
+ write_lock_irq(&tasklist_lock);
+
+ parent = me->real_parent;
+@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
+ set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
+
+ write_unlock_irq(&tasklist_lock);
++ rcu_read_unlock();
+ if (oldcred)
+ put_cred(oldcred);
+ return 0;
+@@ -1327,6 +1329,7 @@ already_same:
+ ret = 0;
+ not_permitted:
+ write_unlock_irq(&tasklist_lock);
++ rcu_read_unlock();
+ put_cred(cred);
+ return ret;
+
More information about the scm-commits
mailing list