[linux] 01/01: KEYS: Fix race between read and revoke (CVE-2015-7550)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 31 02:53:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit e57c91d8867ce42a7d8f2e86a93c2fe8931f74c4
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Dec 31 02:53:31 2015 +0000
KEYS: Fix race between read and revoke (CVE-2015-7550)
---
debian/changelog | 1 +
.../keys-fix-race-between-read-and-revoke.patch | 110 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 112 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index cc7f499..bcb12a9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ linux (4.3.3-3) UNRELEASED; urgency=medium
* [xen] pciback: Fix state validation in MSI control operations
(CVE-2015-8551, CVE-2015-8852, XSA-157)
* ptrace: being capable wrt a process requires mapped uids/gids
+ * KEYS: Fix race between read and revoke (CVE-2015-7550)
[ Salvatore Bonaccorso ]
* ovl: fix permission checking for setattr (CVE-2015-8660)
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
new file mode 100644
index 0000000..e75e677
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
@@ -0,0 +1,110 @@
+From: David Howells <dhowells at redhat.com>
+Date: Fri, 18 Dec 2015 01:34:26 +0000
+Subject: KEYS: Fix race between read and revoke
+Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
+
+This fixes CVE-2015-7550.
+
+There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+happens between keyctl_read() checking the validity of a key and the key's
+semaphore being taken, then the key type read method will see a revoked key.
+
+This causes a problem for the user-defined key type because it assumes in
+its read method that there will always be a payload in a non-revoked key
+and doesn't check for a NULL pointer.
+
+Fix this by making keyctl_read() check the validity of a key after taking
+semaphore instead of before.
+
+I think the bug was introduced with the original keyrings code.
+
+This was discovered by a multithreaded test program generated by syzkaller
+(http://github.com/google/syzkaller). Here's a cleaned up version:
+
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
+
+Build as:
+
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+Run as:
+
+ while keyctl-race; do :; done
+
+as it may need several iterations to crash the kernel. The crash can be
+summarised as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+---
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
+
+ /* the key is probably readable - now try to read it */
+ can_read_key:
+- ret = key_validate(key);
+- if (ret == 0) {
+- ret = -EOPNOTSUPP;
+- if (key->type->read) {
+- /* read the data with the semaphore held (since we
+- * might sleep) */
+- down_read(&key->sem);
++ ret = -EOPNOTSUPP;
++ if (key->type->read) {
++ /* Read the data with the semaphore held (since we might sleep)
++ * to protect against the key being updated or revoked.
++ */
++ down_read(&key->sem);
++ ret = key_validate(key);
++ if (ret == 0)
+ ret = key->type->read(key, buffer, buflen);
+- up_read(&key->sem);
+- }
++ up_read(&key->sem);
+ }
+
+ error2:
diff --git a/debian/patches/series b/debian/patches/series
index d502c62..9cafb25 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,3 +126,4 @@ bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
+bugfix/all/keys-fix-race-between-read-and-revoke.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list