[linux] 02/03: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (CVE-2016-9604)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Apr 22 01:27:49 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 89402402c88bd75804b8e992ec6db37a262763a9
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Apr 22 02:25:04 2017 +0100

    KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (CVE-2016-9604)
---
 debian/changelog                                   |  2 +
 ...ow-keyrings-beginning-with-.-to-be-joined.patch | 76 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 79 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ce4076c..2ec2724 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -325,6 +325,8 @@ linux (4.9.24-1) UNRELEASED; urgency=medium
     - rtmutex: Provide rt_mutex_lock_state()
     - rtmutex: Provide locked slowpath
     - rwsem/rt: Lift single reader restriction
+  * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
+    (CVE-2016-9604)
 
   [ Salvatore Bonaccorso ]
   * ping: implement proper locking (CVE-2017-2671)
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
new file mode 100644
index 0000000..2ce0055
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
@@ -0,0 +1,76 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 18 Apr 2017 15:31:07 +0100
+Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
+ keyrings
+Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
+
+This fixes CVE-2016-9604.
+
+Keyrings whose name begin with a '.' are special internal keyrings and so
+userspace isn't allowed to create keyrings by this name to prevent
+shadowing.  However, the patch that added the guard didn't fix
+KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
+it can also subscribe to them as a session keyring if they grant SEARCH
+permission to the user.
+
+This, for example, allows a root process to set .builtin_trusted_keys as
+its session keyring, at which point it has full access because now the
+possessor permissions are added.  This permits root to add extra public
+keys, thereby bypassing module verification.
+
+This also affects kexec and IMA.
+
+This can be tested by (as root):
+
+	keyctl session .builtin_trusted_keys
+	keyctl add user a a @s
+	keyctl list @s
+
+which on my test box gives me:
+
+	2 keys in keyring:
+	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
+	801382539: --alswrv     0     0 user: a
+
+
+Fix this by rejecting names beginning with a '.' in the keyctl.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+cc: linux-ima-devel at lists.sourceforge.net
+cc: stable at vger.kernel.org
+---
+ security/keys/keyctl.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -271,7 +271,8 @@ error:
+  * Create and join an anonymous session keyring or join a named session
+  * keyring, creating it if necessary.  A named session keyring must have Search
+  * permission for it to be joined.  Session keyrings without this permit will
+- * be skipped over.
++ * be skipped over.  It is not permitted for userspace to create or join
++ * keyrings whose name begin with a dot.
+  *
+  * If successful, the ID of the joined session keyring will be returned.
+  */
+@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const c
+ 			ret = PTR_ERR(name);
+ 			goto error;
+ 		}
++
++		ret = -EPERM;
++		if (name[0] == '.')
++			goto error_name;
+ 	}
+ 
+ 	/* join the session */
+ 	ret = join_session_keyring(name);
++error_name:
+ 	kfree(name);
+-
+ error:
+ 	return ret;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index cc1800b..81c50d2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -108,6 +108,7 @@ debian/time-mark-timer_stats-as-broken.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 bugfix/all/ping-implement-proper-locking.patch
+bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list