Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 20 Oct 2015 10:21:14 -0400 (EDT)
From: cve-assign@...re.org
To: amaris@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: crash when attempt to garbage collect an uninstantiated keyring - Linux kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce1fad2740c648a4340f6f6c391a8a83769d2e8c
> https://bugzilla.redhat.com/show_bug.cgi?id=1272371
> https://bugzilla.redhat.com/show_bug.cgi?id=1272172

>      i=`keyctl add user a a @s`
>      keyctl request2 keyring foo bar @t
>      keyctl unlink $i @s
> 
> tries to invoke an upcall to instantiate a keyring if one doesn't already
> exist by that name within the user's keyring set. However, if the upcall
> fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
> other error code.  When the key is garbage collected, the key destroy
> function is called unconditionally and keyring_destroy() uses list_empty()
> on keyring->type_data.link - which is in a union with reject_error.
> Subsequently, the kernel tries to unlink the keyring from the keyring names
> list - which oopses

> The solution is to only call ->destroy() if the key was successfully
> instantiated.

>> Prevent a user-triggerable crash in the keyrings destructor when a
>> negatively instantiated keyring is garbage collected.

Use CVE-2015-7872.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWJk1RAAoJEL54rhJi8gl5dY8QAIR5aEHLrphiK+AMH/Rh5mqL
Hb1ZLFiCiBP+QiMcqNL8QGueOBxJ9OaRwO7DVoG8xyFUAjcGkmGLKZLDMZLvFSwq
IAhIGiaG6uTgoZF0G2CeWW8LM7jFezlwBTlFy6S7NAJ04ig74SPiGy90iEpMZ+T3
yvsXda5Wv4jplIESmDhei5AGJA2DTbVantlEreQEwylpc+P4da4T1iQBSlieUqmw
a5KCqK99c3E+NWeYkMTakqTomkveGNeSSdECCJPJAOEBjhS306MCrfm00Lml60Tu
RKP4tkXZuRIzSNJ4wHXuUzqL2p7TeKqCybbdtqjJBb48x9R5uSf+AsMSr1lHXWnm
x0NQiVsk5DD+5byp4OsEqHmVRmncSakx3kZ5lB5STz/9awbhrqeuraXdEcXvW0Us
6SJzhGBHTvEP9JujyBnuxjxNIJZjO3FSH4EPc2vT2fj6QxbZwJAz8561/dQcPRzB
ZHTQOaESMYra1Ilh/xT2vgbAgS8QbafP3YUnPmjL7FdOyzAISWE14btotMJUrRDT
2O8ac+clhv+3RUnEQeIs3nayTXWFITD7uC9RAZ+PJE7MI6723LgFHv/EBwHxw8B9
sbq0BR/54EZxgbmcmBJdDdqWdemR0l+nOIVyjHjWF355YEz9/mGNCO2WMhYROv0U
1FvpX7r/yaNcuCwv0vF2
=3n+3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ