From patchwork Tue Sep 5 09:33:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 810055 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3xmhPB20M4z9s0g; Tue, 5 Sep 2017 19:34:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1dpAF9-0002Ga-EA; Tue, 05 Sep 2017 09:34:03 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1dpAF7-0002GL-AL for kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:34:01 +0000 Received: from mail-wr0-f199.google.com ([209.85.128.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dpAF7-0004LU-31 for kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:34:01 +0000 Received: by mail-wr0-f199.google.com with SMTP id 40so4054872wrv.4 for ; Tue, 05 Sep 2017 02:34:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=83GUzv1JDssWX1840Ych0jXvVrWc2prVeRvykqqlgMU=; b=UcHEbTpJ2tSAZXrzO+7V0+ZcA+A805pzy5wS5yqWmBHkc40xmV6zn6G6x6V5QFLV9q 2eNxbA2seUZo1HhOQzLF9XvczNJbA+TQ+l4AvXxPUyPP7Ze85lSFYE00DQQROsex25Sf EaJi88okj5O1+VcOMkKfpqoK3JWz8vRbzQscYqdutTD4UGGVoml6UnqTRkDGzGA5J8Ho 1Un8kMyFb7nB5Gs4EIpOCkTzLqGNvu1MAf5zwYfntIwAQSWTREI65eqbIc0vmpeCgfmJ 8alVyCuE/5dFMwmRlMEEBmDuHh45GZkVqMM/ijgUGIOldOMUGyvFeXRDg5Xg5NsZdsAt ZmAg== X-Gm-Message-State: AHPjjUghDxUTKOBCqAd3N2zd7RlAaQW9ziesnMrX6E+vwzD3uFofgKXl HFXfiWTMt2tJVuK17W1iu/vwBuuTVRSS48KPJHlEQnlhWVIRrZjC+hZrLnw0m59gTYszI8tkF9Y g9FSsgD9XV73/87+DIH/pJ5ToxxLlzjvY X-Received: by 10.80.241.89 with SMTP id z25mr2752357edl.294.1504604040494; Tue, 05 Sep 2017 02:34:00 -0700 (PDT) X-Google-Smtp-Source: ADKCNb4OrUdICDR3WgTZdlMwtmMtzNCaTShngL+6Q3WEyNw31UKoXbH0KuTZpNnk7P2AvR0YM6GrgQ== X-Received: by 10.80.241.89 with SMTP id z25mr2752344edl.294.1504604040184; Tue, 05 Sep 2017 02:34:00 -0700 (PDT) Received: from localhost (ip5f5bd015.dynamic.kabel-deutschland.de. [95.91.208.21]) by smtp.gmail.com with ESMTPSA id g14sm52668edg.50.2017.09.05.02.33.59 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 05 Sep 2017 02:33:59 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings Date: Tue, 5 Sep 2017 11:33:58 +0200 Message-Id: <20170905093358.28935-1-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: David Howells This fixes CVE-2016-9604. Keyrings whose name begin with a '.' are special internal keyrings and so userspace isn't allowed to create keyrings by this name to prevent shadowing. However, the patch that added the guard didn't fix KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings, it can also subscribe to them as a session keyring if they grant SEARCH permission to the user. This, for example, allows a root process to set .builtin_trusted_keys as its session keyring, at which point it has full access because now the possessor permissions are added. This permits root to add extra public keys, thereby bypassing module verification. This also affects kexec and IMA. This can be tested by (as root): keyctl session .builtin_trusted_keys keyctl add user a a @s keyctl list @s which on my test box gives me: 2 keys in keyring: 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05 801382539: --alswrv 0 0 user: a Fix this by rejecting names beginning with a '.' in the keyctl. Signed-off-by: David Howells Acked-by: Mimi Zohar cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org (cherry picked from commit ee8f844e3c5a73b999edf733df1c529d6503ec2f) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Colin Ian King Acked-by: Stefan Bader --- security/keys/keyctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 9360394b3c10..4e3fecc72f43 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -271,7 +271,8 @@ error: * Create and join an anonymous session keyring or join a named session * keyring, creating it if necessary. A named session keyring must have Search * permission for it to be joined. Session keyrings without this permit will - * be skipped over. + * be skipped over. It is not permitted for userspace to create or join + * keyrings whose name begin with a dot. * * If successful, the ID of the joined session keyring will be returned. */ @@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name) ret = PTR_ERR(name); goto error; } + + ret = -EPERM; + if (name[0] == '.') + goto error_name; } /* join the session */ ret = join_session_keyring(name); +error_name: kfree(name); - error: return ret; }