From patchwork Wed Sep  5 19:31:42 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 181925
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id A0CF92C0094
	for <incoming@patchwork.ozlabs.org>;
	Thu,  6 Sep 2012 05:31:57 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1T9LJ4-0006bv-Ts; Wed, 05 Sep 2012 19:30:34 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <timg@tpi.com>) id 1T9LJ2-0006bg-3f
	for kernel-team@lists.ubuntu.com; Wed, 05 Sep 2012 19:30:32 +0000
Received: from salmon.rtg.net (mail.tpi.com [70.99.223.143])
	by mail.tpi.com (Postfix) with ESMTP id 3D93F1EFE4
	for <kernel-team@lists.ubuntu.com>;
	Wed,  5 Sep 2012 12:31:01 -0700 (PDT)
Received: by salmon.rtg.net (Postfix, from userid 1000)
	id 4D0D620BE8; Wed,  5 Sep 2012 13:31:42 -0600 (MDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH Natty CVE-2012-2745] cred: copy_process() should clear
	child->replacement_session_keyring
Date: Wed,  5 Sep 2012 13:31:42 -0600
Message-Id: <1346873502-16138-1-git-send-email-tim.gardner@canonical.com>
X-Mailer: git-send-email 1.7.9.5
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

From: Oleg Nesterov <oleg@redhat.com>

CVE-2012-2745

BugLink: http://bugs.launchpad.net/bugs/1023535

keyctl_session_to_parent(task) sets ->replacement_session_keyring,
it should be processed and cleared by key_replace_session_keyring().

However, this task can fork before it notices TIF_NOTIFY_RESUME and
the new child gets the bogus ->replacement_session_keyring copied by
dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).

change copy_creds() to clear this member. If copy_process() fails
before this point the wrong ->replacement_session_keyring doesn't
matter, exit_creds() won't be called.

Cc: <stable@vger.kernel.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 kernel/cred.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/cred.c b/kernel/cred.c
index 3a9d6dd..183543f 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -384,6 +384,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
 	struct cred *new;
 	int ret;
 
+	p->replacement_session_keyring = NULL;
+
 	if (
 #ifdef CONFIG_KEYS
 		!p->cred->thread_keyring &&