• Yevgeny Pats's avatar
    KEYS: Fix keyring ref leak in join_session_keyring() · 23567fd0
    Yevgeny Pats authored
    This fixes CVE-2016-0728.
    
    If a thread is asked to join as a session keyring the keyring that's already
    set as its session, we leak a keyring reference.
    
    This can be tested with the following program:
    
    	#include <stddef.h>
    	#include <stdio.h>
    	#include <sys/types.h>
    	#include <keyutils.h>
    
    	int main(int argc, const char *argv[])
    	{
    		int i = 0;
    		key_serial_t serial;
    
    		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    				"leaked-keyring");
    		if (serial < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		if (keyctl(KEYCTL_SETPERM, serial,
    			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		for (i = 0; i < 100; i++) {
    			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    					"leaked-keyring");
    			if (serial < 0) {
    				perror("keyctl");
    				return -1;
    			}
    		}
    
    		return 0;
    	}
    
    If, after the program has run, there something like the following line in
    /proc/keys:
    
    3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
    
    with a usage count of 100 * the number of times the program has been run,
    then the kernel is malfunctioning.  If leaked-keyring has zero usages or
    has been garbage collected, then the problem is fixed.
    Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarDon Zickus <dzickus@redhat.com>
    Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
    Acked-by: default avatarJarod Wilson <jarod@redhat.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    23567fd0
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...