/[linux-patches]/genpatches-2.6/trunk/2.6.14/1494_16.3_add-key-to-nonkeyring-oops.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1494_16.3_add-key-to-nonkeyring-oops.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 381 - (show annotations) (download) (as text)
Thu Apr 13 15:29:29 2006 UTC (14 years, 6 months ago) by johnm
File MIME type: text/x-diff
File size: 2041 byte(s)
Applying appropriate CVE fixes
1 From git-commits-head-owner@vger.kernel.org Mon Apr 10 10:01:58 2006
2 Date: Mon, 10 Apr 2006 17:01:40 GMT
3 Message-Id: <200604101701.k3AH1ejA004998@hera.kernel.org>
4 From: David Howells <dhowells@redhat.com>
5 To: git-commits-head@vger.kernel.org
6 Subject: Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]
7
8 From: David Howells <dhowells@redhat.com>
9
10 This fixes the problem of an oops occuring when a user attempts to add a
11 key to a non-keyring key [CVE-2006-1522].
12
13 The problem is that __keyring_search_one() doesn't check that the
14 keyring it's been given is actually a keyring.
15
16 I've fixed this problem by:
17
18 (1) declaring that caller of __keyring_search_one() must guarantee that
19 the keyring is a keyring; and
20
21 (2) making key_create_or_update() check that the keyring is a keyring,
22 and return -ENOTDIR if it isn't.
23
24 This can be tested by:
25
26 keyctl add user b b `keyctl add user a a @s`
27
28 Signed-off-by: David Howells <dhowells@redhat.com>
29 Signed-off-by: Linus Torvalds <torvalds@osdl.org>
30 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
31
32 --- a/security/keys/key.c
33 +++ b/security/keys/key.c
34 @@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t
35
36 key_check(keyring);
37
38 + key_ref = ERR_PTR(-ENOTDIR);
39 + if (keyring->type != &key_type_keyring)
40 + goto error_2;
41 +
42 down_write(&keyring->sem);
43
44 /* if we're going to allocate a new key, we're going to have
45 diff --git a/security/keys/keyring.c b/security/keys/keyring.c
46 index d65a180..bffa924 100644
47 --- a/security/keys/keyring.c
48 +++ b/security/keys/keyring.c
49 @@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
50 /*
51 * search the given keyring only (no recursion)
52 * - keyring must be locked by caller
53 + * - caller must guarantee that the keyring is a keyring
54 */
55 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
56 const struct key_type *ktype,
57 -
58 To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
59 the body of a message to majordomo@vger.kernel.org
60 More majordomo info at http://vger.kernel.org/majordomo-info.html
61

  ViewVC Help
Powered by ViewVC 1.1.20