[kernel/f14/master] Revert extra fix for credentials leak (#683568)

Thu Apr 21 02:14:13 UTC 2011

commit 1caa10e2d53800e0a6e4de4a993a7ee63b8af835
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Wed Apr 20 22:14:06 2011 -0400

    Revert extra fix for credentials leak (#683568)

 kernel.spec                      |    3 +-
 linux-2.6-upstream-reverts.patch |   76 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+), 1 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index f746e8c..db74a80 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2158,9 +2158,10 @@ fi
 # and build.
 
 %changelog
-* Mon Apr 18 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.12-89
+* Mon Apr 20 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.12-89
 - Revert TPM patches from -stable (c4ff4b829, 9b29050f8) that caused
   timeouts and suspend failures (#695953)
+- Revert extra fix for credentials leak (#683568)
 
 * Thu Mar 31 2011 Kyle McMartin <kmcmartin at redhat.com> 2.6.35.12-88
 - Update to longterm 2.6.35.12, drop upstream patches.
diff --git a/linux-2.6-upstream-reverts.patch b/linux-2.6-upstream-reverts.patch
index 1e8161e..c447c5a 100644
--- a/linux-2.6-upstream-reverts.patch
+++ b/linux-2.6-upstream-reverts.patch
@@ -1,3 +1,79 @@
+From foo
+From: David Howells <dhowells at redhat.com>
+Subject: Fix cred leak in AF_NETLINK
+
+Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree
+stored a ref to the current cred struct in struct scm_cookie.  This was fine
+with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
+AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
+that the copied credentials leak each time SCM data is sent over a netlink
+socket.
+
+This can be triggered quite simply on a Fedora 13 or 14 userspace with the
+2.6.35.11 kernel (or something based off of that) by calling:
+
+	#!/bin/bash
+	for ((i=0; i<100; i++))
+	do
+		su - -c /bin/true
+		cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
+		cat /proc/keys | wc -l
+	done
+
+This leaks the session key that pam_keyinit creates for 'su -', which appears
+in /proc/keys as being revoked (has the R flag set against it) afterward su is
+called.
+
+Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
+can be viewed and seen to increase.  The key slab increases by one object per
+loop, and this can be seen after the system has had a couple of minutes to
+stand after the script above has been run on it.
+
+If the system is working correctly, the key and cred counts should return to
+roughly what they were before.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Signed-off-by: Andi Kleen <ak at linux.intel.com>
+
+---
+
+ net/netlink/af_netlink.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.35.y/net/netlink/af_netlink.c
+===================================================================
+--- linux-2.6.35.y.orig/net/netlink/af_netlink.c	2011-03-29 22:52:05.032059161 -0700
++++ linux-2.6.35.y/net/netlink/af_netlink.c	2011-03-29 23:53:42.295455441 -0700
+@@ -1330,12 +1330,16 @@
+ 		return err;
+ 
+ 	if (msg->msg_namelen) {
+-		if (addr->nl_family != AF_NETLINK)
+-			return -EINVAL;
++		if (addr->nl_family != AF_NETLINK) {
++			err = -EINVAL;
++			goto out;
++		}
+ 		dst_pid = addr->nl_pid;
+ 		dst_group = ffs(addr->nl_groups);
+-		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+-			return -EPERM;
++		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) {
++			err = -EPERM;
++			goto out;
++		}
+ 	} else {
+ 		dst_pid = nlk->dst_pid;
+ 		dst_group = nlk->dst_group;
+@@ -1387,6 +1391,8 @@
+ 	err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
+ 
+ out:
++	scm_destroy(siocb->scm);
++	siocb->scm = NULL;
+ 	return err;
+ }
+ 
 From c4ff4b829ef9e6353c0b133b7adb564a68054979 Mon Sep 17 00:00:00 2001
 From: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
 Date: Fri, 12 Nov 2010 22:30:02 +0100
