[linux] 03/11: KEYS: Prevent user access to keyrings whose names start with '.'

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 26 23:25:01 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 22b55b25fe9b47fdc2182b730d29fc44d9bf8892
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 26 23:15:55 2017 +0100

    KEYS: Prevent user access to keyrings whose names start with '.'
    
    This was mostly fixed without a CVE, but with one case missed which is
    designated CVE-2016-9604.
---
 debian/changelog                                   |  4 ++
 ...ow-keyrings-beginning-with-.-to-be-joined.patch | 76 ++++++++++++++++++++++
 ...ate-eperm-for-a-key-type-name-beginning-w.patch | 39 +++++++++++
 ...special-dot-prefixed-keyring-name-bug-fix.patch | 49 ++++++++++++++
 debian/patches/series                              |  3 +
 5 files changed, 171 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f38928a..22e59e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -173,6 +173,10 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
   * USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
+  * KEYS: special dot prefixed keyring name bug fix
+  * KEYS: Reinstate EPERM for a key type name beginning with a '.'
+  * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
+    (CVE-2016-9604)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:12:35 +0000
 
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
new file mode 100644
index 0000000..496bd33
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
@@ -0,0 +1,76 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 18 Apr 2017 15:31:07 +0100
+Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
+ keyrings
+Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
+
+This fixes CVE-2016-9604.
+
+Keyrings whose name begin with a '.' are special internal keyrings and so
+userspace isn't allowed to create keyrings by this name to prevent
+shadowing.  However, the patch that added the guard didn't fix
+KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
+it can also subscribe to them as a session keyring if they grant SEARCH
+permission to the user.
+
+This, for example, allows a root process to set .builtin_trusted_keys as
+its session keyring, at which point it has full access because now the
+possessor permissions are added.  This permits root to add extra public
+keys, thereby bypassing module verification.
+
+This also affects kexec and IMA.
+
+This can be tested by (as root):
+
+	keyctl session .builtin_trusted_keys
+	keyctl add user a a @s
+	keyctl list @s
+
+which on my test box gives me:
+
+	2 keys in keyring:
+	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
+	801382539: --alswrv     0     0 user: a
+
+
+Fix this by rejecting names beginning with a '.' in the keyctl.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+cc: linux-ima-devel at lists.sourceforge.net
+cc: stable at vger.kernel.org
+---
+ security/keys/keyctl.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -263,7 +263,8 @@ error:
+  * Create and join an anonymous session keyring or join a named session
+  * keyring, creating it if necessary.  A named session keyring must have Search
+  * permission for it to be joined.  Session keyrings without this permit will
+- * be skipped over.
++ * be skipped over.  It is not permitted for userspace to create or join
++ * keyrings whose name begin with a dot.
+  *
+  * If successful, the ID of the joined session keyring will be returned.
+  */
+@@ -280,12 +281,16 @@ long keyctl_join_session_keyring(const c
+ 			ret = PTR_ERR(name);
+ 			goto error;
+ 		}
++
++		ret = -EPERM;
++		if (name[0] == '.')
++			goto error_name;
+ 	}
+ 
+ 	/* join the session */
+ 	ret = join_session_keyring(name);
++error_name:
+ 	kfree(name);
+-
+ error:
+ 	return ret;
+ }
diff --git a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
new file mode 100644
index 0000000..31c3553
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
@@ -0,0 +1,39 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 16 Sep 2014 17:29:03 +0100
+Subject: KEYS: Reinstate EPERM for a key type name beginning with a '.'
+Origin: https://git.kernel.org/linus/54e2c2c1a9d6cbb270b0999a38545fa9a69bee43
+
+Reinstate the generation of EPERM for a key type name beginning with a '.' in
+a userspace call.  Types whose name begins with a '.' are internal only.
+
+The test was removed by:
+
+	commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
+	Author: Mimi Zohar <zohar at linux.vnet.ibm.com>
+	Date:   Thu May 22 14:02:23 2014 -0400
+	Subject: KEYS: special dot prefixed keyring name bug fix
+
+I think we want to keep the restriction on type name so that userspace can't
+add keys of a special internal type.
+
+Note that removal of the test causes several of the tests in the keyutils
+testsuite to fail.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Vivek Goyal <vgoyal at redhat.com>
+cc: Mimi Zohar <zohar at linux.vnet.ibm.com>
+---
+ security/keys/keyctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -35,6 +35,8 @@ static int key_get_type_from_user(char *
+ 		return ret;
+ 	if (ret == 0 || ret >= len)
+ 		return -EINVAL;
++	if (type[0] == '.')
++		return -EPERM;
+ 	type[len - 1] = '\0';
+ 	return 0;
+ }
diff --git a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
new file mode 100644
index 0000000..16bb626
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
@@ -0,0 +1,49 @@
+From: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Date: Thu, 22 May 2014 14:02:23 -0400
+Subject: KEYS: special dot prefixed keyring name bug fix
+Origin: https://git.kernel.org/linus/a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
+
+Dot prefixed keyring names are supposed to be reserved for the
+kernel, but add_key() calls key_get_type_from_user(), which
+incorrectly verifies the 'type' field, not the 'description' field.
+This patch verifies the 'description' field isn't dot prefixed,
+when creating a new keyring, and removes the dot prefix test in
+key_get_type_from_user().
+
+Changelog v6:
+- whitespace and other cleanup
+
+Changelog v5:
+- Only prevent userspace from creating a dot prefixed keyring, not
+  regular keys  - Dmitry
+
+Reported-by: Dmitry Kasatkin <d.kasatkin at samsung.com>
+Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Acked-by: David Howells <dhowells at redhat.com>
+[bwh: Backported to 3.2: adjust context, indentation]
+---
+ security/keys/keyctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -35,8 +35,6 @@ static int key_get_type_from_user(char *
+ 		return ret;
+ 	if (ret == 0 || ret >= len)
+ 		return -EINVAL;
+-	if (type[0] == '.')
+-		return -EPERM;
+ 	type[len - 1] = '\0';
+ 	return 0;
+ }
+@@ -75,6 +73,10 @@ SYSCALL_DEFINE5(add_key, const char __us
+ 	if (IS_ERR(description)) {
+ 		ret = PTR_ERR(description);
+ 		goto error;
++	} else if ((description[0] == '.') &&
++		   (strncmp(type, "keyring", 7) == 0)) {
++		ret = -EPERM;
++		goto error2;
+ 	}
+ 
+ 	/* pull the payload in if one was supplied */
diff --git a/debian/patches/series b/debian/patches/series
index 96e71f7..36dc541 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1108,6 +1108,9 @@ bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
 bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
 bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
 bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
+bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
+bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
+bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list