[kernel] r17477 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun May 29 18:41:16 UTC 2011

Author: dannf
Date: Sun May 29 18:41:14 2011
New Revision: 17477

Log:
cifs: Fix cache stuffing issue in the dns_resolver keyring (CVE-2010-2524)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Mon May 23 04:30:51 2011	(r17476)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun May 29 18:41:14 2011	(r17477)
@@ -26,6 +26,7 @@
     (CVE-2011-1182)
   * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
   * proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
+  * cifs: Fix cache stuffing issue in the dns_resolver keyring (CVE-2010-2524)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch	Sun May 29 18:41:14 2011	(r17477)
@@ -0,0 +1,33 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 8 Jul 2010 14:00:27 -0400
+Subject: [fs] cifs: reject DNS upcall add_key req from userspace
+Message-id: <1278597627-23193-3-git-send-email-jlayton at redhat.com>
+Patchwork-id: 26764
+O-Subject: [RHEL5.6 PATCH 2/2] BZ#612171: cifs: have DNS upcall reject add_key
+	requests from userspace
+Bugzilla: 612171
+CVE: CVE-2010-2524
+RH-Acked-by: Steve Dickson <SteveD at redhat.com>
+RH-Acked-by: David Howells <dhowells at redhat.com>
+
+The dns_resolver keyring is susceptible to cache stuffing -- a user
+could preload the keyring and then trick the kernel into following a DFS
+referral to a server of his choosing. Use KEY_FLAG_ADDED to reject
+add_key requests for the dns_resolver key type.
+
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+[dannf: Ported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/dns_resolve.c linux-source-2.6.26/fs/cifs/dns_resolve.c
+--- linux-source-2.6.26.orig/fs/cifs/dns_resolve.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/dns_resolve.c	2011-05-29 12:16:29.488948431 -0600
+@@ -35,6 +35,9 @@ static int dns_resolver_instantiate(stru
+ 	int rc = 0;
+ 	char *ip;
+ 
++	if (test_bit(KEY_FLAG_ADDED, &key->flags))
++		return -EACCES;
++
+ 	ip = kmalloc(datalen+1, GFP_KERNEL);
+ 	if (!ip)
+ 		return -ENOMEM;

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch	Sun May 29 18:41:14 2011	(r17477)
@@ -0,0 +1,46 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 8 Jul 2010 14:00:26 -0400
+Subject: [security] keys: new key flag for add_key from userspace
+Message-id: <1278597627-23193-2-git-send-email-jlayton at redhat.com>
+Patchwork-id: 26762
+O-Subject: [RHEL5.6 PATCH 1/2] BZ#612171: keys: new key flag to indicate an
+	add_key from userspace
+Bugzilla: 612171
+CVE: CVE-2010-2524
+RH-Acked-by: Steve Dickson <SteveD at redhat.com>
+RH-Acked-by: David Howells <dhowells at redhat.com>
+
+For some keys, we don't really want to allow users to stuff the keyring
+with values of their own choosing. Add a new key flag that indicates that
+an instantiation request is for an add_key() call from userspace. The
+instantiation routine for the key can then reject requests based on this
+if it needs to.
+
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+
+diff --git a/include/linux/key.h b/include/linux/key.h
+index 451063a..51c1bcb 100644
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -150,6 +150,7 @@ struct key {
+ #define KEY_FLAG_IN_QUOTA	3	/* set if key consumes quota */
+ #define KEY_FLAG_USER_CONSTRUCT	4	/* set if key is being constructed in userspace */
+ #define KEY_FLAG_NEGATIVE	5	/* set if key is negative */
++#define KEY_FLAG_ADDED		6	/* set if key is being added via userspace add_key */
+ 
+ 	/* the description string
+ 	 * - this is used to match a key against search criteria
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 98f1f85..52b7b55 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -839,6 +839,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
+ 		goto error_3;
+ 	}
+ 
++	/* this is an unsolicited add_key() call from userspace */
++	set_bit(KEY_FLAG_ADDED, &key->flags);
++
+ 	/* instantiate it and link it into the target keyring */
+ 	ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
+ 	if (ret < 0) {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 23 04:30:51 2011	(r17476)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Sun May 29 18:41:14 2011	(r17477)
@@ -22,3 +22,5 @@
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
 + bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
++ bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
++ bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch

