| Message ID | 1503586361-23315-1-git-send-email-stefan.bader@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 24/08/17 15:52, Stefan Bader wrote: > From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001 > From: David Howells <dhowells@redhat.com> > Date: Tue, 18 Apr 2017 15:31:08 +0100 > Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent > user access > > This fixes CVE-2017-6951. > > Userspace should not be able to do things with the "dead" key type as it > doesn't have some of the helper functions set upon it that the kernel > needs. Attempting to use it may cause the kernel to crash. > > Fix this by changing the name of the type to ".dead" so that it's rejected > up front on userspace syscalls by key_get_type_from_user(). > > Though this doesn't seem to affect recent kernels, it does affect older > ones, certainly those prior to: > > commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 > Author: David Howells <dhowells@redhat.com> > Date: Tue Sep 16 17:36:06 2014 +0100 > KEYS: Remove key_type::match in favour of overriding default by match_preparse > > which went in before 3.18-rc1. > > Signed-off-by: David Howells <dhowells@redhat.com> > cc: stable@vger.kernel.org > > CVE-2017-6951 > > (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > Notes: > - From how I read the comments all kernels after 3.18-rc1 were not > affected. But even then this patch would not hurt. And it was > indeed picked up by 4.4.y in Xenial. > - Any kernels before 4.18-rc1 would be fixed by this patch alone > which is much less complicated to pull backwards (still a > cherry-pick for Trusty). > - So beside of adding this patch for Trusty we have to update the > cve triaging in a way that either of the two SHA1s is ok. > > -Stefan > > security/keys/gc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/keys/gc.c b/security/keys/gc.c > index 4a78033..da715eb 100644 > --- a/security/keys/gc.c > +++ b/security/keys/gc.c > @@ -46,7 +46,7 @@ static unsigned long key_gc_flags; > * immediately unlinked. > */ > struct key_type key_type_dead = { > - .name = "dead", > + .name = ".dead", > }; > > /* > that's a novel fix. Clean cherry pick. Looks OK to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 08/24/17 16:52, Stefan Bader wrote: > From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001 > From: David Howells <dhowells@redhat.com> > Date: Tue, 18 Apr 2017 15:31:08 +0100 > Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent > user access > > This fixes CVE-2017-6951. > > Userspace should not be able to do things with the "dead" key type as it > doesn't have some of the helper functions set upon it that the kernel > needs. Attempting to use it may cause the kernel to crash. > > Fix this by changing the name of the type to ".dead" so that it's rejected > up front on userspace syscalls by key_get_type_from_user(). > > Though this doesn't seem to affect recent kernels, it does affect older > ones, certainly those prior to: > > commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 > Author: David Howells <dhowells@redhat.com> > Date: Tue Sep 16 17:36:06 2014 +0100 > KEYS: Remove key_type::match in favour of overriding default by match_preparse > > which went in before 3.18-rc1. > > Signed-off-by: David Howells <dhowells@redhat.com> > cc: stable@vger.kernel.org > > CVE-2017-6951 > > (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > Notes: > - From how I read the comments all kernels after 3.18-rc1 were not > affected. But even then this patch would not hurt. And it was > indeed picked up by 4.4.y in Xenial. > - Any kernels before 4.18-rc1 would be fixed by this patch alone > which is much less complicated to pull backwards (still a > cherry-pick for Trusty). > - So beside of adding this patch for Trusty we have to update the > cve triaging in a way that either of the two SHA1s is ok. > > -Stefan > > security/keys/gc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/keys/gc.c b/security/keys/gc.c > index 4a78033..da715eb 100644 > --- a/security/keys/gc.c > +++ b/security/keys/gc.c > @@ -46,7 +46,7 @@ static unsigned long key_gc_flags; > * immediately unlinked. > */ > struct key_type key_type_dead = { > - .name = "dead", > + .name = ".dead", > }; > > /* > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Applied to trusty/master-next branch. Thanks.
diff --git a/security/keys/gc.c b/security/keys/gc.c index 4a78033..da715eb 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -46,7 +46,7 @@ static unsigned long key_gc_flags; * immediately unlinked. */ struct key_type key_type_dead = { - .name = "dead", + .name = ".dead", }; /*