[kernel/f21] CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
Josh Boyer
jwboyer at fedoraproject.org
Wed Jan 7 18:06:13 UTC 2015
commit 0ace95ceecdccb5f3ea208b907e0d99e3219dc54
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Wed Jan 7 12:56:46 2015 -0500
CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
...close-race-between-key-lookup-and-freeing.patch | 43 ++++++++++++++++++++
kernel.spec | 7 +++
2 files changed, 50 insertions(+), 0 deletions(-)
---
diff --git a/KEYS-close-race-between-key-lookup-and-freeing.patch b/KEYS-close-race-between-key-lookup-and-freeing.patch
new file mode 100644
index 0000000..7994e2f
--- /dev/null
+++ b/KEYS-close-race-between-key-lookup-and-freeing.patch
@@ -0,0 +1,43 @@
+From: Sasha Levin <sasha.levin () oracle ! com>
+Date: Mon, 29 Dec 2014 14:39:01 -0500
+Subject: [PATCH] KEYS: close race between key lookup and freeing
+
+When a key is being garbage collected, it's key->user would get put before
+the ->destroy() callback is called, where the key is removed from it's
+respective tracking structures.
+
+This leaves a key hanging in a semi-invalid state which leaves a window open
+for a different task to try an access key->user. An example is
+find_keyring_by_name() which would dereference key->user for a key that is
+in the process of being garbage collected (where key->user was freed but
+->destroy() wasn't called yet - so it's still present in the linked list).
+
+This would cause either a panic, or corrupt memory.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+ security/keys/gc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 9609a7f0faea..c7952375ac53 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
+ atomic_dec(&key->user->nikeys);
+
+- key_user_put(key->user);
+-
+ /* now throw away the key memory */
+ if (key->type->destroy)
+ key->type->destroy(key);
+
++ key_user_put(key->user);
++
+ kfree(key->description);
+
+ #ifdef KEY_DEBUGGING
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 35f9c0e..de88b52 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -682,6 +682,9 @@ Patch26122: batman-adv-Calculate-extra-tail-size-based-on-queued.patch
#CVE-2014-9419 rhbz 1177260,1177263
Patch26123: x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch
+#CVE-2014-9529 rhbz 1179813 1179853
+Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1473,6 +1476,9 @@ ApplyPatch batman-adv-Calculate-extra-tail-size-based-on-queued.patch
#CVE-2014-9419 rhbz 1177260,1177263
ApplyPatch x86_64-switch_to-Load-TLS-descriptors-before-switchi.patch
+#CVE-2014-9529 rhbz 1179813 1179853
+ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2348,6 +2354,7 @@ fi
# || ||
%changelog
* Wed Jan 07 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-9529 memory corruption or panic during key gc (rhbz 1179813 1179853)
- Enable POWERCAP and INTEL_RAPL
* Tue Jan 06 2015 Josh Boyer <jwboyer at fedoraproject.org>
More information about the scm-commits
mailing list