Message ID | 1346873721-21543-1-git-send-email-tim.gardner@canonical.com |
---|---|
State | New |
Headers | show |
On 09/05/2012 12:35 PM, Tim Gardner wrote: > From: Oleg Nesterov <oleg@redhat.com> > > CVE-2012-2745 > > BugLink: http://bugs.launchpad.net/bugs/1023535 > > keyctl_session_to_parent(task) sets ->replacement_session_keyring, > it should be processed and cleared by key_replace_session_keyring(). > > However, this task can fork before it notices TIF_NOTIFY_RESUME and > the new child gets the bogus ->replacement_session_keyring copied by > dup_task_struct(). This is obviously wrong and, if nothing else, this > leads to put_cred(already_freed_cred). > > change copy_creds() to clear this member. If copy_process() fails > before this point the wrong ->replacement_session_keyring doesn't > matter, exit_creds() won't be called. > > Cc: <stable@vger.kernel.org> > Signed-off-by: Oleg Nesterov <oleg@redhat.com> > Acked-by: David Howells <dhowells@redhat.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (back ported from commit 79549c6dfda0603dba9a70a53467ce62d9335c33) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > kernel/cred.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/kernel/cred.c b/kernel/cred.c > index 0b5b5fc..6ffd433 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -442,6 +442,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags) > int ret; > > mutex_init(&p->cred_guard_mutex); > + p->replacement_session_keyring = NULL; > > if ( > #ifdef CONFIG_KEYS >
diff --git a/kernel/cred.c b/kernel/cred.c index 0b5b5fc..6ffd433 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -442,6 +442,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags) int ret; mutex_init(&p->cred_guard_mutex); + p->replacement_session_keyring = NULL; if ( #ifdef CONFIG_KEYS