[kernel] r8368 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 17 00:17:54 UTC 2007 

Author: dannf
Date: Fri Mar 16 23:17:54 2007
New Revision: 8368

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch
   dists/etch-security/linux-2.6/debian/patches/series/11etch1
Modified:
   dists/etch-security/linux-2.6/debian/changelog
Log:
* keys-serial-num-collision.patch
  [SECURITY] Fix the key serial number collision avoidance code in
  key_alloc_serial() that could lead to a local DoS (oops).
  (closes: #398470)
  See CVE-2007-0006

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Fri Mar 16 23:17:54 2007
@@ -1,3 +1,13 @@
+linux-2.6 (2.6.18.dfsg.1-11etch1) UNRELEASED; urgency=high
+
+  * keys-serial-num-collision.patch
+    [SECURITY] Fix the key serial number collision avoidance code in
+    key_alloc_serial() that could lead to a local DoS (oops).
+    (closes: #398470)
+    See CVE-2007-0006
+
+ -- dann frazier <dannf at debian.org>  Fri, 16 Mar 2007 17:15:06 -0600
+
 linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
 
   [ Jurij Smakov ]

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch	Fri Mar 16 23:17:54 2007
@@ -0,0 +1,92 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000)
+Subject: [PATCH] Keys: Fix key serial number collision handling
+X-Git-Tag: v2.6.21-rc2~42^2~22
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4
+
+[PATCH] Keys: Fix key serial number collision handling
+
+Fix the key serial number collision avoidance code in key_alloc_serial().
+
+This didn't use to be so much of a problem as the key serial numbers were
+allocated from a simple incremental counter, and it would have to go through
+two billion keys before it could possibly encounter a collision.  However, now
+that random numbers are used instead, collisions are much more likely.
+
+This is fixed by finding a hole in the rbtree where the next unused serial
+number ought to be and using that by going almost back to the top of the
+insertion routine and redoing the insertion with the new serial number rather
+than trying to be clever and attempting to work out the insertion point
+pointer directly.
+
+This fixes kernel BZ #7727.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index ac9326c..700400d 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
+ 
+ 	spin_lock(&key_serial_lock);
+ 
++attempt_insertion:
+ 	parent = NULL;
+ 	p = &key_serial_tree.rb_node;
+ 
+@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
+ 		else
+ 			goto serial_exists;
+ 	}
+-	goto insert_here;
++
++	/* we've found a suitable hole - arrange for this key to occupy it */
++	rb_link_node(&key->serial_node, parent, p);
++	rb_insert_color(&key->serial_node, &key_serial_tree);
++
++	spin_unlock(&key_serial_lock);
++	return;
+ 
+ 	/* we found a key with the proposed serial number - walk the tree from
+ 	 * that point looking for the next unused serial number */
+ serial_exists:
+ 	for (;;) {
+ 		key->serial++;
+-		if (key->serial < 2)
+-			key->serial = 2;
+-
+-		if (!rb_parent(parent))
+-			p = &key_serial_tree.rb_node;
+-		else if (rb_parent(parent)->rb_left == parent)
+-			p = &(rb_parent(parent)->rb_left);
+-		else
+-			p = &(rb_parent(parent)->rb_right);
++		if (key->serial < 3) {
++			key->serial = 3;
++			goto attempt_insertion;
++		}
+ 
+ 		parent = rb_next(parent);
+ 		if (!parent)
+-			break;
++			goto attempt_insertion;
+ 
+ 		xkey = rb_entry(parent, struct key, serial_node);
+ 		if (key->serial < xkey->serial)
+-			goto insert_here;
++			goto attempt_insertion;
+ 	}
+ 
+-	/* we've found a suitable hole - arrange for this key to occupy it */
+-insert_here:
+-	rb_link_node(&key->serial_node, parent, p);
+-	rb_insert_color(&key->serial_node, &key_serial_tree);
+-
+-	spin_unlock(&key_serial_lock);
+-
+ } /* end key_alloc_serial() */
+ 
+ /*****************************************************************************/

Added: dists/etch-security/linux-2.6/debian/patches/series/11etch1
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/11etch1	Fri Mar 16 23:17:54 2007
@@ -0,0 +1 @@
++ bugfix/keys-serial-num-collision.patch

More information about the Kernel-svn-changes mailing list