[linux] 01/01: Update to 4.4-rc8

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Jan 4 01:57:18 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 0f11ea7f19defff0bbd8dc24042f63407bbcfbdf
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Jan 4 01:57:00 2016 +0000

    Update to 4.4-rc8
---
 debian/changelog                                   |   2 +-
 .../keys-fix-race-between-read-and-revoke.patch    | 110 ---------------------
 debian/patches/series                              |   1 -
 3 files changed, 1 insertion(+), 112 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 722402a..faecfea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.4~rc7-1~exp1) UNRELEASED; urgency=medium
+linux (4.4~rc8-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release candidate
 
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
deleted file mode 100644
index e75e677..0000000
--- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Fri, 18 Dec 2015 01:34:26 +0000
-Subject: KEYS: Fix race between read and revoke
-Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
-
-This fixes CVE-2015-7550.
-
-There's a race between keyctl_read() and keyctl_revoke().  If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-I think the bug was introduced with the original keyrings code.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller).  Here's a cleaned up version:
-
-	#include <sys/types.h>
-	#include <keyutils.h>
-	#include <pthread.h>
-	void *thr0(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		keyctl_revoke(key);
-		return 0;
-	}
-	void *thr1(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		char buffer[16];
-		keyctl_read(key, buffer, 16);
-		return 0;
-	}
-	int main()
-	{
-		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
-		pthread_t th[5];
-		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
-		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
-		pthread_join(th[0], 0);
-		pthread_join(th[1], 0);
-		pthread_join(th[2], 0);
-		pthread_join(th[3], 0);
-		return 0;
-	}
-
-Build as:
-
-	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
-	while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel.  The crash can be
-summarised as:
-
-	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
-	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
-	...
-	Call Trace:
-	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
-	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
-	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
- 
- 	/* the key is probably readable - now try to read it */
- can_read_key:
--	ret = key_validate(key);
--	if (ret == 0) {
--		ret = -EOPNOTSUPP;
--		if (key->type->read) {
--			/* read the data with the semaphore held (since we
--			 * might sleep) */
--			down_read(&key->sem);
-+	ret = -EOPNOTSUPP;
-+	if (key->type->read) {
-+		/* Read the data with the semaphore held (since we might sleep)
-+		 * to protect against the key being updated or revoked.
-+		 */
-+		down_read(&key->sem);
-+		ret = key_validate(key);
-+		if (ret == 0)
- 			ret = key->type->read(key, buffer, buflen);
--			up_read(&key->sem);
--		}
-+		up_read(&key->sem);
- 	}
- 
- error2:
diff --git a/debian/patches/series b/debian/patches/series
index 7239f39..125045f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -96,4 +96,3 @@ features/all/grsecurity/grkernsec_perf_harden.patch
 bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
-bugfix/all/keys-fix-race-between-read-and-revoke.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list