oss-sec mailing list archives
Re: CVE request: crash when attempt to garbage collect an uninstantiated keyring - Linux kernel
From: cve-assign () mitre org
Date: Tue, 20 Oct 2015 10:21:14 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce1fad2740c648a4340f6f6c391a8a83769d2e8c https://bugzilla.redhat.com/show_bug.cgi?id=1272371 https://bugzilla.redhat.com/show_bug.cgi?id=1272172
i=`keyctl add user a a @s` keyctl request2 keyring foo bar @t keyctl unlink $i @s tries to invoke an upcall to instantiate a keyring if one doesn't already exist by that name within the user's keyring set. However, if the upcall fails, the code sets keyring->type_data.reject_error to -ENOKEY or some other error code. When the key is garbage collected, the key destroy function is called unconditionally and keyring_destroy() uses list_empty() on keyring->type_data.link - which is in a union with reject_error. Subsequently, the kernel tries to unlink the keyring from the keyring names list - which oopses
The solution is to only call ->destroy() if the key was successfully instantiated.
Prevent a user-triggerable crash in the keyrings destructor when a negatively instantiated keyring is garbage collected.
Use CVE-2015-7872. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWJk1RAAoJEL54rhJi8gl5dY8QAIR5aEHLrphiK+AMH/Rh5mqL Hb1ZLFiCiBP+QiMcqNL8QGueOBxJ9OaRwO7DVoG8xyFUAjcGkmGLKZLDMZLvFSwq IAhIGiaG6uTgoZF0G2CeWW8LM7jFezlwBTlFy6S7NAJ04ig74SPiGy90iEpMZ+T3 yvsXda5Wv4jplIESmDhei5AGJA2DTbVantlEreQEwylpc+P4da4T1iQBSlieUqmw a5KCqK99c3E+NWeYkMTakqTomkveGNeSSdECCJPJAOEBjhS306MCrfm00Lml60Tu RKP4tkXZuRIzSNJ4wHXuUzqL2p7TeKqCybbdtqjJBb48x9R5uSf+AsMSr1lHXWnm x0NQiVsk5DD+5byp4OsEqHmVRmncSakx3kZ5lB5STz/9awbhrqeuraXdEcXvW0Us 6SJzhGBHTvEP9JujyBnuxjxNIJZjO3FSH4EPc2vT2fj6QxbZwJAz8561/dQcPRzB ZHTQOaESMYra1Ilh/xT2vgbAgS8QbafP3YUnPmjL7FdOyzAISWE14btotMJUrRDT 2O8ac+clhv+3RUnEQeIs3nayTXWFITD7uC9RAZ+PJE7MI6723LgFHv/EBwHxw8B9 sbq0BR/54EZxgbmcmBJdDdqWdemR0l+nOIVyjHjWF355YEz9/mGNCO2WMhYROv0U 1FvpX7r/yaNcuCwv0vF2 =3n+3 -----END PGP SIGNATURE-----
Current thread:
- CVE request: crash when attempt to garbage collect an uninstantiated keyring Adam Maris (Oct 20)
- Re: CVE request: crash when attempt to garbage collect an uninstantiated keyring - Linux kernel cve-assign (Oct 20)