1
commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376
2
Author: David Howells <dhowells@redhat.com>
3
Date: Fri Sep 10 09:59:51 2010 +0100
5
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
7
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
8
of the parent process's session keyring whether or not the parent has a session
9
keyring [CVE-2010-2960].
11
This results in the following oops:
13
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
14
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
17
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
18
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
19
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
20
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
22
if the parent process has no session keyring.
24
If the system is using pam_keyinit then it mostly protected against this as all
25
processes derived from a login will have inherited the session keyring created
26
by pam_keyinit during the log in procedure.
28
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
30
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
31
Signed-off-by: David Howells <dhowells@redhat.com>
32
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
33
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35
[Backported to Debian's 2.6.32 by dann frazier <dannf@debian.org>]
37
diff -urpN linux-source-2.6.32.orig/security/keys/keyctl.c linux-source-2.6.32/security/keys/keyctl.c
38
--- linux-source-2.6.32.orig/security/keys/keyctl.c 2010-09-16 12:16:29.000000000 -0600
39
+++ linux-source-2.6.32/security/keys/keyctl.c 2010-09-16 12:18:32.000000000 -0600
40
@@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void)
43
/* the keyrings must have the same UID */
44
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
45
+ if ((pcred->tgcred->session_keyring &&
46
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
47
mycred->tgcred->session_keyring->uid != mycred->euid)