[kernel/f20] CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)

Josh Boyer jwboyer at fedoraproject.org
Fri Feb 28 16:49:27 UTC 2014 

commit 6162a001a7941874628b6ca393eef3d6277c6783
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Feb 28 11:48:34 2014 -0500

    CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)

 kernel.spec       |    8 ++++++++
 keyring-fix.patch |   17 +++++++++++++++++
 2 files changed, 25 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 73aa9d7..f0c3fff 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -764,6 +764,9 @@ Patch25024: e100-Fix-disabling-already-disabled-device-warning.patch
 #rhbz 1056170
 Patch25025: usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
 
+#CVE-2014-0102 rhbz 1071396
+Patch25026: keyring-fix.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1484,6 +1487,8 @@ ApplyPatch e100-Fix-disabling-already-disabled-device-warning.patch
 #rhbz 1056170
 ApplyPatch usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
 
+#CVE-2014-0102 rhbz 1071396
+ApplyPatch keyring-fix.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2297,6 +2302,9 @@ fi
 #                 ||     ||
 %changelog
 * Fri Feb 28 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)
+
+* Fri Feb 28 2014 Josh Boyer <jwboyer at fedoraproject.org>
 - Drop alx phy reset patch that is already in 3.13
 
 * Tue Feb 25 2014 Josh Boyer <jwboyer at fedoraproject.org>
diff --git a/keyring-fix.patch b/keyring-fix.patch
new file mode 100644
index 0000000..6539144
--- /dev/null
+++ b/keyring-fix.patch
@@ -0,0 +1,17 @@
+@@ -, +, @@ 
+---
+--- a/security/keys/keyring.c	
++++ a/security/keys/keyring.c	
+@@ -1000,7 +1000,11 @@ static int keyring_detect_cycle_iterator(const void *object,
+ 
+ 	kenter("{%d}", key->serial);
+ 
+-	BUG_ON(key != ctx->match_data);
++	/* We might get a keyring with matching index-key that is nonetheless a
++	 * different keyring. */
++	if (key != ctx->match_data)
++		return 0;
++
+ 	ctx->result = ERR_PTR(-EDEADLK);
+ 	return 1;
+ }

More information about the scm-commits mailing list