[kernel/f14/master] Revert extra fix for credentials leak (#683568)
Chuck Ebbert
cebbert at fedoraproject.org
Thu Apr 21 02:14:13 UTC 2011
commit 1caa10e2d53800e0a6e4de4a993a7ee63b8af835
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Wed Apr 20 22:14:06 2011 -0400
Revert extra fix for credentials leak (#683568)
kernel.spec | 3 +-
linux-2.6-upstream-reverts.patch | 76 ++++++++++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index f746e8c..db74a80 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2158,9 +2158,10 @@ fi
# and build.
%changelog
-* Mon Apr 18 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.12-89
+* Mon Apr 20 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.12-89
- Revert TPM patches from -stable (c4ff4b829, 9b29050f8) that caused
timeouts and suspend failures (#695953)
+- Revert extra fix for credentials leak (#683568)
* Thu Mar 31 2011 Kyle McMartin <kmcmartin at redhat.com> 2.6.35.12-88
- Update to longterm 2.6.35.12, drop upstream patches.
diff --git a/linux-2.6-upstream-reverts.patch b/linux-2.6-upstream-reverts.patch
index 1e8161e..c447c5a 100644
--- a/linux-2.6-upstream-reverts.patch
+++ b/linux-2.6-upstream-reverts.patch
@@ -1,3 +1,79 @@
+From foo
+From: David Howells <dhowells at redhat.com>
+Subject: Fix cred leak in AF_NETLINK
+
+Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree
+stored a ref to the current cred struct in struct scm_cookie. This was fine
+with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
+AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
+that the copied credentials leak each time SCM data is sent over a netlink
+socket.
+
+This can be triggered quite simply on a Fedora 13 or 14 userspace with the
+2.6.35.11 kernel (or something based off of that) by calling:
+
+ #!/bin/bash
+ for ((i=0; i<100; i++))
+ do
+ su - -c /bin/true
+ cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
+ cat /proc/keys | wc -l
+ done
+
+This leaks the session key that pam_keyinit creates for 'su -', which appears
+in /proc/keys as being revoked (has the R flag set against it) afterward su is
+called.
+
+Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
+can be viewed and seen to increase. The key slab increases by one object per
+loop, and this can be seen after the system has had a couple of minutes to
+stand after the script above has been run on it.
+
+If the system is working correctly, the key and cred counts should return to
+roughly what they were before.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Signed-off-by: Andi Kleen <ak at linux.intel.com>
+
+---
+
+ net/netlink/af_netlink.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.35.y/net/netlink/af_netlink.c
+===================================================================
+--- linux-2.6.35.y.orig/net/netlink/af_netlink.c 2011-03-29 22:52:05.032059161 -0700
++++ linux-2.6.35.y/net/netlink/af_netlink.c 2011-03-29 23:53:42.295455441 -0700
+@@ -1330,12 +1330,16 @@
+ return err;
+
+ if (msg->msg_namelen) {
+- if (addr->nl_family != AF_NETLINK)
+- return -EINVAL;
++ if (addr->nl_family != AF_NETLINK) {
++ err = -EINVAL;
++ goto out;
++ }
+ dst_pid = addr->nl_pid;
+ dst_group = ffs(addr->nl_groups);
+- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+- return -EPERM;
++ if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) {
++ err = -EPERM;
++ goto out;
++ }
+ } else {
+ dst_pid = nlk->dst_pid;
+ dst_group = nlk->dst_group;
+@@ -1387,6 +1391,8 @@
+ err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
+
+ out:
++ scm_destroy(siocb->scm);
++ siocb->scm = NULL;
+ return err;
+ }
+
From c4ff4b829ef9e6353c0b133b7adb564a68054979 Mon Sep 17 00:00:00 2001
From: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
Date: Fri, 12 Nov 2010 22:30:02 +0100
More information about the scm-commits
mailing list