[linux] 01/01: KEYS: Fix race between read and revoke (CVE-2015-7550)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 31 02:54:04 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 8470c5fb4abc2126788ff631b6f560fb5ef59884
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Dec 31 02:50:28 2015 +0000

    KEYS: Fix race between read and revoke (CVE-2015-7550)
---
 debian/changelog                                   |   1 +
 .../keys-fix-race-between-read-and-revoke.patch    | 111 +++++++++++++++++++++
 debian/patches/series/48squeeze18                  |   1 +
 3 files changed, 113 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4d7318e..e9f89d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ linux-2.6 (2.6.32-48squeeze18) UNRELEASED; urgency=medium
 
   * net: add validation for the socket syscall protocol argument (CVE-2015-8543)
   * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575)
+  * KEYS: Fix race between read and revoke (CVE-2015-7550)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 27 Dec 2015 20:06:05 +0000
 
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
new file mode 100644
index 0000000..7f50c32
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
@@ -0,0 +1,111 @@
+From: David Howells <dhowells at redhat.com>
+Date: Fri, 18 Dec 2015 01:34:26 +0000
+Subject: KEYS: Fix race between read and revoke
+Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
+
+This fixes CVE-2015-7550.
+
+There's a race between keyctl_read() and keyctl_revoke().  If the revoke
+happens between keyctl_read() checking the validity of a key and the key's
+semaphore being taken, then the key type read method will see a revoked key.
+
+This causes a problem for the user-defined key type because it assumes in
+its read method that there will always be a payload in a non-revoked key
+and doesn't check for a NULL pointer.
+
+Fix this by making keyctl_read() check the validity of a key after taking
+semaphore instead of before.
+
+I think the bug was introduced with the original keyrings code.
+
+This was discovered by a multithreaded test program generated by syzkaller
+(http://github.com/google/syzkaller).  Here's a cleaned up version:
+
+	#include <sys/types.h>
+	#include <keyutils.h>
+	#include <pthread.h>
+	void *thr0(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		keyctl_revoke(key);
+		return 0;
+	}
+	void *thr1(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		char buffer[16];
+		keyctl_read(key, buffer, 16);
+		return 0;
+	}
+	int main()
+	{
+		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+		pthread_t th[5];
+		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+		pthread_join(th[0], 0);
+		pthread_join(th[1], 0);
+		pthread_join(th[2], 0);
+		pthread_join(th[3], 0);
+		return 0;
+	}
+
+Build as:
+
+	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+Run as:
+
+	while keyctl-race; do :; done
+
+as it may need several iterations to crash the kernel.  The crash can be
+summarised as:
+
+	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+	...
+	Call Trace:
+	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -674,16 +674,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ 
+ 	/* the key is probably readable - now try to read it */
+  can_read_key:
+-	ret = key_validate(key);
+-	if (ret == 0) {
+-		ret = -EOPNOTSUPP;
+-		if (key->type->read) {
+-			/* read the data with the semaphore held (since we
+-			 * might sleep) */
+-			down_read(&key->sem);
++	ret = -EOPNOTSUPP;
++	if (key->type->read) {
++		/* Read the data with the semaphore held (since we might sleep)
++		 * to protect against the key being updated or revoked.
++		 */
++		down_read(&key->sem);
++		ret = key_validate(key);
++		if (ret == 0)
+ 			ret = key->type->read(key, buffer, buflen);
+-			up_read(&key->sem);
+-		}
++		up_read(&key->sem);
+ 	}
+ 
+  error2:
diff --git a/debian/patches/series/48squeeze18 b/debian/patches/series/48squeeze18
index a05ec9e..23b0906 100644
--- a/debian/patches/series/48squeeze18
+++ b/debian/patches/series/48squeeze18
@@ -1,2 +1,3 @@
 + bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
 + bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
++ bugfix/all/keys-fix-race-between-read-and-revoke.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list