[kernel] r18469 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Jan 8 10:34:21 UTC 2012 

Author: dannf
Date: Sun Jan  8 10:34:19 2012
New Revision: 18469

Log:
KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/27lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:16 2012	(r18468)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:19 2012	(r18469)
@@ -2,6 +2,7 @@
 
   * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)
   * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
+  * KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)
 
  -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 21:15:07 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch	Sun Jan  8 10:34:19 2012	(r18469)
@@ -0,0 +1,65 @@
+commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b
+Author: David Howells <dhowells at redhat.com>
+Date:   Tue Nov 15 22:09:45 2011 +0000
+
+    KEYS: Fix a NULL pointer deref in the user-defined key type
+    
+    Fix a NULL pointer deref in the user-defined key type whereby updating a
+    negative key into a fully instantiated key will cause an oops to occur
+    when the code attempts to free the non-existent old payload.
+    
+    This results in an oops that looks something like the following:
+    
+      BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+      IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+      PGD 3391d067 PUD 3894a067 PMD 0
+      Oops: 0002 [#1] SMP
+      CPU 1
+      Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
+      RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+      RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
+      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
+      RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
+      RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
+      R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
+      R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
+      FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
+      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+      CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
+      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+      Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
+      Stack:
+       ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
+       ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
+       ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
+      Call Trace:
+       [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
+       [<ffffffff8117bfea>] user_update+0x8d/0xa2
+       [<ffffffff8117723a>] key_create_or_update+0x236/0x270
+       [<ffffffff811789b1>] sys_add_key+0x123/0x17e
+       [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
+    
+    Signed-off-by: David Howells <dhowells at redhat.com>
+    Acked-by: Jeff Layton <jlayton at redhat.com>
+    Acked-by: Neil Horman <nhorman at redhat.com>
+    Acked-by: Steve Dickson <steved at redhat.com>
+    Acked-by: James Morris <jmorris at namei.org>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
+index 7c687d5..97edf29 100644
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
+ 		key->expiry = 0;
+ 	}
+ 
+-	call_rcu(&zap->rcu, user_update_rcu_disposal);
++	if (zap)
++		call_rcu(&zap->rcu, user_update_rcu_disposal);
+ 
+ error:
+ 	return ret;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Sun Jan  8 10:34:16 2012	(r18468)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Sun Jan  8 10:34:19 2012	(r18469)
@@ -1,2 +1,3 @@
 + bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch
 + bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
++ bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch

More information about the Kernel-svn-changes mailing list