linux/security/keys
David Howells 3d96406c7d KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].

This results in the following oops:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
  IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
  ...
  Call Trace:
   [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
   [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
   [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b

if the parent process has no session keyring.

If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.

To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.

Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-09-10 07:30:00 -07:00
..
compat.c
gc.c KEYS: Fix RCU handling in key_gc_keyring() 2010-05-05 11:39:23 +10:00
internal.h Add a dummy printk function for the maintenance of unused printks 2010-08-12 09:51:35 -07:00
key.c KEYS: Do preallocation for __key_link() 2010-05-06 22:25:02 +10:00
keyctl.c KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring 2010-09-10 07:30:00 -07:00
keyring.c kernel-wide: replace USHORT_MAX, SHORT_MAX and SHORT_MIN with USHRT_MAX, SHRT_MAX and SHRT_MIN 2010-05-25 08:07:02 -07:00
Makefile
permission.c security: whitespace coding style fixes 2010-04-23 10:10:23 +10:00
proc.c KEYS: Make /proc/keys check to see if a key is possessed before security check 2010-08-02 15:34:27 +10:00
process_keys.c KEYS: Make /proc/keys check to see if a key is possessed before security check 2010-08-02 15:34:27 +10:00
request_key_auth.c
request_key.c KEYS: request_key() should return -ENOKEY if the constructed key is negative 2010-08-06 09:17:02 -07:00
sysctl.c
user_defined.c KEYS: Fix an RCU warning in the reading of user keys 2010-05-05 11:38:52 +10:00