summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2010-09-10 09:59:51 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2011-03-21 12:45:43 -0700
commit22b19ee0392cbc7e5d4fe3159113f585bf212944 (patch)
tree8bc39de47e5145096c7e7d5b04fe645beaf7620c
parentef29fb3e1e3aa866828fe419ad4c360ac26d416c (diff)
downloadkernel-common-22b19ee0392cbc7e5d4fe3159113f585bf212944.tar.gz
kernel-common-22b19ee0392cbc7e5d4fe3159113f585bf212944.tar.bz2
kernel-common-22b19ee0392cbc7e5d4fe3159113f585bf212944.zip
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376 upstream. Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership of the parent process's session keyring whether or not the parent has a session keyring [CVE-2010-2960]. This results in the following oops: BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443 ... Call Trace: [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443 [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0 [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8 [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b if the parent process has no session keyring. If the system is using pam_keyinit then it mostly protected against this as all processes derived from a login will have inherited the session keyring created by pam_keyinit during the log in procedure. To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com> Cc: dann frazier <dannf@debian.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--security/keys/keyctl.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index d29e0225b9af..c25603a137bc 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void)
goto not_permitted;
/* the keyrings must have the same UID */
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
+ if ((pcred->tgcred->session_keyring &&
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
mycred->tgcred->session_keyring->uid != mycred->euid)
goto not_permitted;