CVE-2011-4110 keys: NULL pointer deref in the user-defined key type
This commit is contained in:
parent
445b543dc9
commit
df53fa5f95
2 changed files with 80 additions and 0 deletions
71
KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
Normal file
71
KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
From f8789858be5c1b13543040b74d978ea448461155 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 15 Nov 2011 22:09:45 +0000
|
||||
Subject: [PATCH] KEYS: Fix a NULL pointer deref in the user-defined key type
|
||||
|
||||
commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b upstream.
|
||||
|
||||
Fix a NULL pointer deref in the user-defined key type whereby updating a
|
||||
negative key into a fully instantiated key will cause an oops to occur
|
||||
when the code attempts to free the non-existent old payload.
|
||||
|
||||
This results in an oops that looks something like the following:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
|
||||
IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
|
||||
PGD 3391d067 PUD 3894a067 PMD 0
|
||||
Oops: 0002 [#1] SMP
|
||||
CPU 1
|
||||
Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY
|
||||
RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
|
||||
RSP: 0018:ffff88003d591df8 EFLAGS: 00010246
|
||||
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
|
||||
RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
|
||||
RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
|
||||
R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
|
||||
R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
|
||||
FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
|
||||
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
|
||||
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
|
||||
Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
|
||||
Stack:
|
||||
ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
|
||||
ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
|
||||
ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
|
||||
Call Trace:
|
||||
[<ffffffff810860f0>] call_rcu_sched+0x10/0x12
|
||||
[<ffffffff8117bfea>] user_update+0x8d/0xa2
|
||||
[<ffffffff8117723a>] key_create_or_update+0x236/0x270
|
||||
[<ffffffff811789b1>] sys_add_key+0x123/0x17e
|
||||
[<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Jeff Layton <jlayton@redhat.com>
|
||||
Acked-by: Neil Horman <nhorman@redhat.com>
|
||||
Acked-by: Steve Dickson <steved@redhat.com>
|
||||
Acked-by: James Morris <jmorris@namei.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
---
|
||||
security/keys/user_defined.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
|
||||
index e9aa079..d6781b9 100644
|
||||
--- a/security/keys/user_defined.c
|
||||
+++ b/security/keys/user_defined.c
|
||||
@@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
|
||||
key->expiry = 0;
|
||||
}
|
||||
|
||||
- call_rcu(&zap->rcu, user_update_rcu_disposal);
|
||||
+ if (zap)
|
||||
+ call_rcu(&zap->rcu, user_update_rcu_disposal);
|
||||
|
||||
error:
|
||||
return ret;
|
||||
--
|
||||
1.7.7.1
|
||||
|
||||
|
|
@ -919,6 +919,9 @@ Patch21060: crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
|
|||
#rhbz 755590
|
||||
Patch21061: ipv6-udp-fix-the-wrong-headroom-check.patch
|
||||
|
||||
#rhbz 756168
|
||||
Patch21062: KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1738,6 +1741,9 @@ ApplyPatch crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
|
|||
#rhbz 755590
|
||||
ApplyPatch ipv6-udp-fix-the-wrong-headroom-check.patch
|
||||
|
||||
#rhbz 756168
|
||||
ApplyPatch KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2324,6 +2330,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Tue Nov 22 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-106
|
||||
- CVE-2011-4110 keys: NULL pointer deref in the user-defined key type
|
||||
|
||||
* Mon Nov 21 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-105
|
||||
- CVE-2011-4326: wrong headroom check in udp6_ufo_fragment() (rhbz 755590)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue