[{"id":1763146,"web_url":"http://patchwork.ozlabs.org/comment/1763146/","msgid":"","list_archive_url":null,"date":"2017-09-05T09:47:24","subject":"ACK: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/","name":"Colin Ian King","email":"colin.king@canonical.com"},"content":"On 05/09/17 10:33, Kleber Sacilotto de Souza wrote:\n> From: David Howells \n> \n> This fixes CVE-2016-9604.\n> \n> Keyrings whose name begin with a '.' are special internal keyrings and so\n> userspace isn't allowed to create keyrings by this name to prevent\n> shadowing. However, the patch that added the guard didn't fix\n> KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,\n> it can also subscribe to them as a session keyring if they grant SEARCH\n> permission to the user.\n> \n> This, for example, allows a root process to set .builtin_trusted_keys as\n> its session keyring, at which point it has full access because now the\n> possessor permissions are added. This permits root to add extra public\n> keys, thereby bypassing module verification.\n> \n> This also affects kexec and IMA.\n> \n> This can be tested by (as root):\n> \n> \tkeyctl session .builtin_trusted_keys\n> \tkeyctl add user a a @s\n> \tkeyctl list @s\n> \n> which on my test box gives me:\n> \n> \t2 keys in keyring:\n> \t180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05\n> \t801382539: --alswrv 0 0 user: a\n> \n> Fix this by rejecting names beginning with a '.' in the keyctl.\n> \n> Signed-off-by: David Howells \n> Acked-by: Mimi Zohar \n> cc: linux-ima-devel@lists.sourceforge.net\n> cc: stable@vger.kernel.org\n> (cherry picked from commit ee8f844e3c5a73b999edf733df1c529d6503ec2f)\n> Signed-off-by: Kleber Sacilotto de Souza \n> ---\n> security/keys/keyctl.c | 9 +++++++--\n> 1 file changed, 7 insertions(+), 2 deletions(-)\n> \n> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c\n> index 9360394b3c10..4e3fecc72f43 100644\n> --- a/security/keys/keyctl.c\n> +++ b/security/keys/keyctl.c\n> @@ -271,7 +271,8 @@ error:\n> * Create and join an anonymous session keyring or join a named session\n> * keyring, creating it if necessary. A named session keyring must have Search\n> * permission for it to be joined. Session keyrings without this permit will\n> - * be skipped over.\n> + * be skipped over. It is not permitted for userspace to create or join\n> + * keyrings whose name begin with a dot.\n> *\n> * If successful, the ID of the joined session keyring will be returned.\n> */\n> @@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name)\n> \t\t\tret = PTR_ERR(name);\n> \t\t\tgoto error;\n> \t\t}\n> +\n> +\t\tret = -EPERM;\n> +\t\tif (name[0] == '.')\n> +\t\t\tgoto error_name;\n> \t}\n> \n> \t/* join the session */\n> \tret = join_session_keyring(name);\n> +error_name:\n> \tkfree(name);\n> -\n> error:\n> \treturn ret;\n> }\n> \nClean cherry pick. Makes sense.\n\nAcked-by: Colin Ian King ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmhhf5QMyz9s83;\n\tTue, 5 Sep 2017 19:47:30 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpAS7-0003Pj-7O; Tue, 05 Sep 2017 09:47:27 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpAS5-0003Pb-PF\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:47:25 +0000","from 1.general.cking.uk.vpn ([10.172.193.212])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpAS5-00059g-Dy; Tue, 05 Sep 2017 09:47:25 +0000"],"Subject":"ACK: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","To":"kernel-team@lists.ubuntu.com","References":"<20170905093358.28935-1-kleber.souza@canonical.com>","From":"Colin Ian King ","Message-ID":"","Date":"Tue, 5 Sep 2017 10:47:24 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20170905093358.28935-1-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1763351,"web_url":"http://patchwork.ozlabs.org/comment/1763351/","msgid":"<530c457b-e9a9-41c1-d5a7-42180bd62451@canonical.com>","list_archive_url":null,"date":"2017-09-05T13:12:26","subject":"ACK/cmnt: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 05.09.2017 11:33, Kleber Sacilotto de Souza wrote:\n> From: David Howells \n> \n> This fixes CVE-2016-9604.\n> \n> Keyrings whose name begin with a '.' are special internal keyrings and so\n> userspace isn't allowed to create keyrings by this name to prevent\n> shadowing. However, the patch that added the guard didn't fix\n> KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,\n> it can also subscribe to them as a session keyring if they grant SEARCH\n> permission to the user.\n> \n> This, for example, allows a root process to set .builtin_trusted_keys as\n> its session keyring, at which point it has full access because now the\n> possessor permissions are added. This permits root to add extra public\n> keys, thereby bypassing module verification.\n> \n> This also affects kexec and IMA.\n> \n> This can be tested by (as root):\n> \n> \tkeyctl session .builtin_trusted_keys\n> \tkeyctl add user a a @s\n> \tkeyctl list @s\n> \n> which on my test box gives me:\n> \n> \t2 keys in keyring:\n> \t180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05\n> \t801382539: --alswrv 0 0 user: a\n> \n> Fix this by rejecting names beginning with a '.' in the keyctl.\n> \n> Signed-off-by: David Howells \n> Acked-by: Mimi Zohar \n> cc: linux-ima-devel@lists.sourceforge.net\n> cc: stable@vger.kernel.org\n\nCVE-2016-9604\n\n> (cherry picked from commit ee8f844e3c5a73b999edf733df1c529d6503ec2f)\n> Signed-off-by: Kleber Sacilotto de Souza \nAcked-by: Stefan Bader \n\n> ---\n\nAgain with repeated CVE number.\n\n> security/keys/keyctl.c | 9 +++++++--\n> 1 file changed, 7 insertions(+), 2 deletions(-)\n> \n> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c\n> index 9360394b3c10..4e3fecc72f43 100644\n> --- a/security/keys/keyctl.c\n> +++ b/security/keys/keyctl.c\n> @@ -271,7 +271,8 @@ error:\n> * Create and join an anonymous session keyring or join a named session\n> * keyring, creating it if necessary. A named session keyring must have Search\n> * permission for it to be joined. Session keyrings without this permit will\n> - * be skipped over.\n> + * be skipped over. It is not permitted for userspace to create or join\n> + * keyrings whose name begin with a dot.\n> *\n> * If successful, the ID of the joined session keyring will be returned.\n> */\n> @@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name)\n> \t\t\tret = PTR_ERR(name);\n> \t\t\tgoto error;\n> \t\t}\n> +\n> +\t\tret = -EPERM;\n> +\t\tif (name[0] == '.')\n> +\t\t\tgoto error_name;\n> \t}\n> \n> \t/* join the session */\n> \tret = join_session_keyring(name);\n> +error_name:\n> \tkfree(name);\n> -\n> error:\n> \treturn ret;\n> }\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmnFF2K9Yz9t24;\n\tTue, 5 Sep 2017 23:12:33 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpDeW-0001Kr-Qi; Tue, 05 Sep 2017 13:12:28 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpDeV-0001KL-9G\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 13:12:27 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpDeV-0008Kn-1D; Tue, 05 Sep 2017 13:12:27 +0000"],"Subject":"ACK/cmnt: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","To":"Kleber Sacilotto de Souza ,\n\tkernel-team@lists.ubuntu.com","References":"<20170905093358.28935-1-kleber.souza@canonical.com>","From":"Stefan Bader ","Message-ID":"<530c457b-e9a9-41c1-d5a7-42180bd62451@canonical.com>","Date":"Tue, 5 Sep 2017 15:12:26 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170905093358.28935-1-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"multipart/mixed;\n\tboundary=\"===============3342405147641640585==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1763404,"web_url":"http://patchwork.ozlabs.org/comment/1763404/","msgid":"<3d556e41-4a2b-65ba-aacb-9772eb5edb54@canonical.com>","list_archive_url":null,"date":"2017-09-05T14:31:06","subject":"APPLIED: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"content":"Applied to trusty/master-next branch, adding the CVE number in the SOB\narea as pointed out by Stefan. Thanks.","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmq026X48z9sPt;\n\tWed, 6 Sep 2017 00:31:14 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpEsh-0000uR-QT; Tue, 05 Sep 2017 14:31:11 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpEsg-0000tZ-9P\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 14:31:10 +0000","from mail-wr0-f200.google.com ([209.85.128.200])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpEsg-0003wt-2B\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 14:31:10 +0000","by mail-wr0-f200.google.com with SMTP id v109so4463985wrc.5\n\tfor ;\n\tTue, 05 Sep 2017 07:31:10 -0700 (PDT)","from [192.168.0.8] (ip5f5bd015.dynamic.kabel-deutschland.de.\n\t[95.91.208.21]) by smtp.gmail.com with ESMTPSA id\n\tj3sm317924ede.91.2017.09.05.07.31.07\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tTue, 05 Sep 2017 07:31:08 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:from:to:references:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=Hysh2s2WR5wOmTlx3GplxYB5pmFZHSi8hVGnrgDz0vk=;\n\tb=VdTQRM+XvDrjQpSYu5JuQ06DOEdwSIX/QxPJRwRAcorbgC/S/y730nQVlKuBcTWMZe\n\tqFgEDB8RQ41XRGWUHSbn6R3/dY7Lttya6fJTYfOfLR0EaiOBkMMJSsXMrWlWSk2/lbPF\n\tmsHi0kQ4yE4m/5UvWHzyvwckbazotB1t4wTAvMuQ4Ass5XdgDfNMnOjOgtZsYdcLkqOV\n\t/D02SN+AB/lS6KgK8I4r2zRHTl+dS3QWmg6PBUmhcIpNZULTkoslejpPzhNUobL6rsBj\n\tcxF/GTgVXxDWhFyCVeJsBVwW4dbXWwWcVWvKkdLlxaRLyb9Cqp/9HJiLr2hvalDxneU2\n\tj5Gw==","X-Gm-Message-State":"AHPjjUhMrQDYxVTNP/yy4cOtkV7WZXwU9xVC0kna48ngHyB3iljenBbm\n\tf3MT8NM9qrt4a4cl6WDHQNPo8u+enEwubPhwEHdUs4qfa2JAAnKcpWtEfhx7kGOFpfMevoolBfR\n\t9tdK3K/MDxYCx21cFRLT2vONgU7MYtevB","X-Received":["by 10.80.134.141 with SMTP id r13mr3460557eda.152.1504621869555; \n\tTue, 05 Sep 2017 07:31:09 -0700 (PDT)","by 10.80.134.141 with SMTP id r13mr3460553eda.152.1504621869390; \n\tTue, 05 Sep 2017 07:31:09 -0700 (PDT)"],"X-Google-Smtp-Source":"ADKCNb6NvMi73XLESBQ9n+2wh1v3m45DRqQ0+TkLvRg8pehLctwh2tDktUVrA+ugRqtzw7W0MzvzEg==","Subject":"APPLIED: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings\n\tbeginning with '.' to be joined as session keyrings","From":"Kleber Souza ","To":"kernel-team@lists.ubuntu.com","References":"<20170905093358.28935-1-kleber.souza@canonical.com>","Message-ID":"<3d556e41-4a2b-65ba-aacb-9772eb5edb54@canonical.com>","Date":"Tue, 5 Sep 2017 16:31:06 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170905093358.28935-1-kleber.souza@canonical.com>","Content-Language":"en-US","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}}]