Patchwork [hardy,lucid,lucid/fsl-imx51,maverick,maverick/ti-omap4,natty,natty/ti-omap4,CVE,1/1] KEYS: Fix a NULL pointer deref in the user-defined key type

login
register
mail settings
Submitter Andy Whitcroft
Date Dec. 6, 2011, 4:32 p.m.
Message ID <1323189125-20157-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/129733/
State New
Headers show

Comments

Andy Whitcroft - Dec. 6, 2011, 4:32 p.m.
From: David Howells <dhowells@redhat.com>

Fix a NULL pointer deref in the user-defined key type whereby updating a
negative key into a fully instantiated key will cause an oops to occur
when the code attempts to free the non-existent old payload.

This results in an oops that looks something like the following:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
  PGD 3391d067 PUD 3894a067 PMD 0
  Oops: 0002 [#1] SMP
  CPU 1
  Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
  RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
  RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
  RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
  R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
  R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
  FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
  Stack:
   ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
   ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
   ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
  Call Trace:
   [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
   [<ffffffff8117bfea>] user_update+0x8d/0xa2
   [<ffffffff8117723a>] key_create_or_update+0x236/0x270
   [<ffffffff811789b1>] sys_add_key+0x123/0x17e
   [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b)
CVE-2011-4110
BugLink: http://bugs.launchpad.net/bugs/894369
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 security/keys/user_defined.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
Tim Gardner - Dec. 6, 2011, 4:49 p.m.
On 12/06/2011 09:32 AM, Andy Whitcroft wrote:
> From: David Howells<dhowells@redhat.com>
>
> Fix a NULL pointer deref in the user-defined key type whereby updating a
> negative key into a fully instantiated key will cause an oops to occur
> when the code attempts to free the non-existent old payload.
>
> This results in an oops that looks something like the following:
>
>    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
>    IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
>    PGD 3391d067 PUD 3894a067 PMD 0
>    Oops: 0002 [#1] SMP
>    CPU 1
>    Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
>    RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
>    RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
>    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
>    RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
>    RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
>    R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
>    R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
>    FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
>    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>    CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
>    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>    Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
>    Stack:
>     ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
>     ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
>     ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
>    Call Trace:
>     [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
>     [<ffffffff8117bfea>] user_update+0x8d/0xa2
>     [<ffffffff8117723a>] key_create_or_update+0x236/0x270
>     [<ffffffff811789b1>] sys_add_key+0x123/0x17e
>     [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
>
> Signed-off-by: David Howells<dhowells@redhat.com>
> Acked-by: Jeff Layton<jlayton@redhat.com>
> Acked-by: Neil Horman<nhorman@redhat.com>
> Acked-by: Steve Dickson<steved@redhat.com>
> Acked-by: James Morris<jmorris@namei.org>
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> (backported from commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b)
> CVE-2011-4110
> BugLink: http://bugs.launchpad.net/bugs/894369
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   security/keys/user_defined.c |    3 ++-
>   1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
> index 7c687d5..97edf29 100644
> --- a/security/keys/user_defined.c
> +++ b/security/keys/user_defined.c
> @@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
>   		key->expiry = 0;
>   	}
>
> -	call_rcu(&zap->rcu, user_update_rcu_disposal);
> +	if (zap)
> +		call_rcu(&zap->rcu, user_update_rcu_disposal);
>
>   error:
>   	return ret;
Seth Forshee - Dec. 6, 2011, 5:15 p.m.
On Tue, Dec 06, 2011 at 04:32:05PM +0000, Andy Whitcroft wrote:
> From: David Howells <dhowells@redhat.com>
> 
> Fix a NULL pointer deref in the user-defined key type whereby updating a
> negative key into a fully instantiated key will cause an oops to occur
> when the code attempts to free the non-existent old payload.
> 
> This results in an oops that looks something like the following:
> 
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
>   IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
>   PGD 3391d067 PUD 3894a067 PMD 0
>   Oops: 0002 [#1] SMP
>   CPU 1
>   Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
>   RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
>   RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
>   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
>   RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
>   RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
>   R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
>   R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
>   FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>   Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
>   Stack:
>    ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
>    ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
>    ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
>   Call Trace:
>    [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
>    [<ffffffff8117bfea>] user_update+0x8d/0xa2
>    [<ffffffff8117723a>] key_create_or_update+0x236/0x270
>    [<ffffffff811789b1>] sys_add_key+0x123/0x17e
>    [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: Jeff Layton <jlayton@redhat.com>
> Acked-by: Neil Horman <nhorman@redhat.com>
> Acked-by: Steve Dickson <steved@redhat.com>
> Acked-by: James Morris <jmorris@namei.org>
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (backported from commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b)
> CVE-2011-4110
> BugLink: http://bugs.launchpad.net/bugs/894369
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Seth Forshee <seth.forshee@canonical.com>

> ---
>  security/keys/user_defined.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
> index 7c687d5..97edf29 100644
> --- a/security/keys/user_defined.c
> +++ b/security/keys/user_defined.c
> @@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
>  		key->expiry = 0;
>  	}
>  
> -	call_rcu(&zap->rcu, user_update_rcu_disposal);
> +	if (zap)
> +		call_rcu(&zap->rcu, user_update_rcu_disposal);
>  
>  error:
>  	return ret;
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch

diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 7c687d5..97edf29 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -119,7 +119,8 @@  int user_update(struct key *key, const void *data, size_t datalen)
 		key->expiry = 0;
 	}
 
-	call_rcu(&zap->rcu, user_update_rcu_disposal);
+	if (zap)
+		call_rcu(&zap->rcu, user_update_rcu_disposal);
 
 error:
 	return ret;