<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/security, branch v2.6.32.26</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/security?h=v2.6.32.26</id>
<link rel='self' href='https://git.amat.us/linux/atom/security?h=v2.6.32.26'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2010-09-27T00:21:30Z</updated>
<entry>
<title>KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring</title>
<updated>2010-09-27T00:21:30Z</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2010-09-10T08:59:51Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=db1a0b94ba65383e790bbba18c95b319ecbe534e'/>
<id>urn:sha1:db1a0b94ba65383e790bbba18c95b319ecbe534e</id>
<content type='text'>
commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376 upstream.

Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].

This results in the following oops:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
  IP: [&lt;ffffffff811ae4dd&gt;] keyctl_session_to_parent+0x251/0x443
  ...
  Call Trace:
   [&lt;ffffffff811ae2f3&gt;] ? keyctl_session_to_parent+0x67/0x443
   [&lt;ffffffff8109d286&gt;] ? __do_fault+0x24b/0x3d0
   [&lt;ffffffff811af98c&gt;] sys_keyctl+0xb4/0xb8
   [&lt;ffffffff81001eab&gt;] system_call_fastpath+0x16/0x1b

if the parent process has no session keyring.

If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.

To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.

Reported-by: Tavis Ormandy &lt;taviso@cmpxchg8b.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Tavis Ormandy &lt;taviso@cmpxchg8b.com&gt;
Cc: dann frazier &lt;dannf@debian.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()</title>
<updated>2010-09-27T00:21:30Z</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2010-09-10T08:59:46Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=516d04d051294af5124d866ed65a838c71006ba5'/>
<id>urn:sha1:516d04d051294af5124d866ed65a838c71006ba5</id>
<content type='text'>
commit 9d1ac65a9698513d00e5608d93fca0c53f536c14 upstream.

There's an protected access to the parent process's credentials in the middle
of keyctl_session_to_parent().  This results in the following RCU warning:

  ===================================================
  [ INFO: suspicious rcu_dereference_check() usage. ]
  ---------------------------------------------------
  security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!

  other info that might help us debug this:

  rcu_scheduler_active = 1, debug_locks = 0
  1 lock held by keyctl-session-/2137:
   #0:  (tasklist_lock){.+.+..}, at: [&lt;ffffffff811ae2ec&gt;] keyctl_session_to_parent+0x60/0x236

  stack backtrace:
  Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
  Call Trace:
   [&lt;ffffffff8105606a&gt;] lockdep_rcu_dereference+0xaa/0xb3
   [&lt;ffffffff811ae379&gt;] keyctl_session_to_parent+0xed/0x236
   [&lt;ffffffff811af77e&gt;] sys_keyctl+0xb4/0xb6
   [&lt;ffffffff81001eab&gt;] system_call_fastpath+0x16/0x1b

The code should take the RCU read lock to make sure the parents credentials
don't go away, even though it's holding a spinlock and has IRQ disabled.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: dann frazier &lt;dannf@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>KEYS: find_keyring_by_name() can gain access to a freed keyring</title>
<updated>2010-07-05T18:11:21Z</updated>
<author>
<name>Toshiyuki Okajima</name>
<email>toshi.okajima@jp.fujitsu.com</email>
</author>
<published>2010-04-30T13:32:13Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=48b97a01ba4d411047dad9abce933301699cdf25'/>
<id>urn:sha1:48b97a01ba4d411047dad9abce933301699cdf25</id>
<content type='text'>
commit cea7daa3589d6b550546a8c8963599f7c1a3ae5c upstream.

find_keyring_by_name() can gain access to a keyring that has had its reference
count reduced to zero, and is thus ready to be freed.  This then allows the
dead keyring to be brought back into use whilst it is being destroyed.

The following timeline illustrates the process:

|(cleaner)                           (user)
|
| free_user(user)                    sys_keyctl()
|  |                                  |
|  key_put(user-&gt;session_keyring)     keyctl_get_keyring_ID()
|  ||	//=&gt; keyring-&gt;usage = 0        |
|  |schedule_work(&amp;key_cleanup_task)   lookup_user_key()
|  ||                                   |
|  kmem_cache_free(,user)               |
|  .                                    |[KEY_SPEC_USER_KEYRING]
|  .                                    install_user_keyrings()
|  .                                    ||
| key_cleanup() [&lt;= worker_thread()]    ||
|  |                                    ||
|  [spin_lock(&amp;key_serial_lock)]        |[mutex_lock(&amp;key_user_keyr..mutex)]
|  |                                    ||
|  atomic_read() == 0                   ||
|  |{ rb_ease(&amp;key-&gt;serial_node,) }     ||
|  |                                    ||
|  [spin_unlock(&amp;key_serial_lock)]      |find_keyring_by_name()
|  |                                    |||
|  keyring_destroy(keyring)             ||[read_lock(&amp;keyring_name_lock)]
|  ||                                   |||
|  |[write_lock(&amp;keyring_name_lock)]    ||atomic_inc(&amp;keyring-&gt;usage)
|  |.                                   ||| *** GET freeing keyring ***
|  |.                                   ||[read_unlock(&amp;keyring_name_lock)]
|  ||                                   ||
|  |list_del()                          |[mutex_unlock(&amp;key_user_k..mutex)]
|  ||                                   |
|  |[write_unlock(&amp;keyring_name_lock)]  ** INVALID keyring is returned **
|  |                                    .
|  kmem_cache_free(,keyring)            .
|                                       .
|                                       atomic_dec(&amp;keyring-&gt;usage)
v                                         *** DESTROYED ***
TIME

If CONFIG_SLUB_DEBUG=y then we may see the following message generated:

	=============================================================================
	BUG key_jar: Poison overwritten
	-----------------------------------------------------------------------------

	INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b
	INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086
	INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10
	INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3
	INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300

	Bytes b4 0xffff880197a7e1f0:  5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
	  Object 0xffff880197a7e200:  6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk

Alternatively, we may see a system panic happen, such as:

	BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
	IP: [&lt;ffffffff810e61a3&gt;] kmem_cache_alloc+0x5b/0xe9
	PGD 6b2b4067 PUD 6a80d067 PMD 0
	Oops: 0000 [#1] SMP
	last sysfs file: /sys/kernel/kexec_crash_loaded
	CPU 1
	...
	Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY
	RIP: 0010:[&lt;ffffffff810e61a3&gt;]  [&lt;ffffffff810e61a3&gt;] kmem_cache_alloc+0x5b/0xe9
	RSP: 0018:ffff88006af3bd98  EFLAGS: 00010002
	RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b
	RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430
	RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000
	R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0
	R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce
	FS:  00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
	Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)
	Stack:
	 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001
	 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce
	 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3
	Call Trace:
	 [&lt;ffffffff810f20ce&gt;] ? get_empty_filp+0x70/0x12f
	 [&lt;ffffffff810face3&gt;] ? do_filp_open+0x145/0x590
	 [&lt;ffffffff810ce208&gt;] ? tlb_finish_mmu+0x2a/0x33
	 [&lt;ffffffff810ce43c&gt;] ? unmap_region+0xd3/0xe2
	 [&lt;ffffffff810e4393&gt;] ? virt_to_head_page+0x9/0x2d
	 [&lt;ffffffff81103916&gt;] ? alloc_fd+0x69/0x10e
	 [&lt;ffffffff810ef4ed&gt;] ? do_sys_open+0x56/0xfc
	 [&lt;ffffffff81008a02&gt;] ? system_call_fastpath+0x16/0x1b
	Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 &lt;48&gt; 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef
	RIP  [&lt;ffffffff810e61a3&gt;] kmem_cache_alloc+0x5b/0xe9

This problem is that find_keyring_by_name does not confirm that the keyring is
valid before accepting it.

Skipping keyrings that have been reduced to a zero count seems the way to go.
To this end, use atomic_inc_not_zero() to increment the usage count and skip
the candidate keyring if that returns false.

The following script _may_ cause the bug to happen, but there's no guarantee
as the window of opportunity is small:

	#!/bin/sh
	LOOP=100000
	USER=dummy_user
	/bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; }
	for ((i=0; i&lt;LOOP; i++))
	do
		/bin/su -c "echo '$i' &gt; /dev/null" $USER
	done
	(( add == 1 )) &amp;&amp; /usr/sbin/userdel -r $USER
	exit

Note that the nominated user must not be in use.

An alternative way of testing this may be:

	for ((i=0; i&lt;100000; i++))
	do
		keyctl session foo /bin/true || break
	done &gt;&amp;/dev/null

as that uses a keyring named "foo" rather than relying on the user and
user-session named keyrings.

Reported-by: Toshiyuki Okajima &lt;toshi.okajima@jp.fujitsu.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Tested-by: Toshiyuki Okajima &lt;toshi.okajima@jp.fujitsu.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Cc: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Cc: Chuck Ebbert &lt;cebbert@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>KEYS: Return more accurate error codes</title>
<updated>2010-07-05T18:11:20Z</updated>
<author>
<name>Dan Carpenter</name>
<email>error27@gmail.com</email>
</author>
<published>2010-05-17T13:42:35Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ec098d1914879ce1fb45691f33c8cd194eef7a50'/>
<id>urn:sha1:ec098d1914879ce1fb45691f33c8cd194eef7a50</id>
<content type='text'>
commit 4d09ec0f705cf88a12add029c058b53f288cfaa2 upstream.

We were using the wrong variable here so the error codes weren't being returned
properly.  The original code returns -ENOKEY.

Signed-off-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>mmap_min_addr check CAP_SYS_RAWIO only for write</title>
<updated>2010-05-26T21:29:21Z</updated>
<author>
<name>Kees Cook</name>
<email>kees.cook@canonical.com</email>
</author>
<published>2010-04-22T19:19:17Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=734c542a8aa9d7d49ffed09e671972851f25df5e'/>
<id>urn:sha1:734c542a8aa9d7d49ffed09e671972851f25df5e</id>
<content type='text'>
commit 4ae69e6b718589abe97c9625ccbb1e0bc95a8c0e upstream.

Redirecting directly to lsm, here's the patch discussed on lkml:
http://lkml.org/lkml/2010/4/22/219

The mmap_min_addr value is useful information for an admin to see without
being root ("is my system vulnerable to kernel NULL pointer attacks?") and
its setting is trivially easy for an attacker to determine by calling
mmap() in PAGE_SIZE increments starting at 0, so trying to keep it private
has no value.

Only require CAP_SYS_RAWIO if changing the value, not reading it.

Comment from Serge :

  Me, I like to write my passwords with light blue pen on dark blue
  paper, pasted on my window - if you're going to get my password, you're
  gonna get a headache.

Signed-off-by: Kees Cook &lt;kees.cook@canonical.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
(cherry picked from commit 822cceec7248013821d655545ea45d1c6a9d15b3)
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>security: testing the wrong variable in create_by_name()</title>
<updated>2010-05-12T21:57:14Z</updated>
<author>
<name>Dan Carpenter</name>
<email>error27@gmail.com</email>
</author>
<published>2010-04-22T10:05:35Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e3a126e62222b90f6c9ec63cc30cf443210764f7'/>
<id>urn:sha1:e3a126e62222b90f6c9ec63cc30cf443210764f7</id>
<content type='text'>
commit b338cc8207eae46640a8d534738fda7b5e48511d upstream.

There is a typo here.  We should be testing "*dentry" instead of
"dentry".  If "*dentry" is an ERR_PTR, it gets dereferenced in either
mkdir() or create() which would cause an OOPs.

Signed-off-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>keys: the request_key() syscall should link an existing key to the dest keyring</title>
<updated>2010-05-12T21:57:01Z</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2010-04-27T20:13:08Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c1837a8f5014463056c255f4bf82a06d16388223'/>
<id>urn:sha1:c1837a8f5014463056c255f4bf82a06d16388223</id>
<content type='text'>
commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream.

The request_key() system call and request_key_and_link() should make a
link from an existing key to the destination keyring (if supplied), not
just from a new key to the destination keyring.

This can be tested by:

	ring=`keyctl newring fred @s`
	keyctl request2 user debug:a a
	keyctl request user debug:a $ring
	keyctl list $ring

If it says:

	keyring is empty

then it didn't work.  If it shows something like:

	1 key in keyring:
	1070462727: --alswrv     0     0 user: debug:a

then it did.

request_key() system call is meant to recursively search all your keyrings for
the key you desire, and, optionally, if it doesn't exist, call out to userspace
to create one for you.

If request_key() finds or creates a key, it should, optionally, create a link
to that key from the destination keyring specified.

Therefore, if, after a successful call to request_key() with a desination
keyring specified, you see the destination keyring empty, the code didn't work
correctly.

If you see the found key in the keyring, then it did - which is what the patch
is required for.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>sysctl: require CAP_SYS_RAWIO to set mmap_min_addr</title>
<updated>2010-04-01T22:58:16Z</updated>
<author>
<name>Kees Cook</name>
<email>kees.cook@canonical.com</email>
</author>
<published>2009-11-08T17:37:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c907edc64f5ccc35c81b44fd0444646ba97edfc4'/>
<id>urn:sha1:c907edc64f5ccc35c81b44fd0444646ba97edfc4</id>
<content type='text'>
commit 0e1a6ef2dea88101b056b6d9984f3325c5efced3 upstream.

Currently the mmap_min_addr value can only be bypassed during mmap when
the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself
can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO.
This patch adds a check for the capability before allowing mmap_min_addr to
be changed.

Signed-off-by: Kees Cook &lt;kees.cook@canonical.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>netlabel: fix export of SELinux categories &gt; 127</title>
<updated>2010-03-15T15:49:34Z</updated>
<author>
<name>Joshua Roys</name>
<email>joshua.roys@gtri.gatech.edu</email>
</author>
<published>2010-02-24T23:52:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=15bd3e21f0b4b12aca0f016cb2d962fc227182e2'/>
<id>urn:sha1:15bd3e21f0b4b12aca0f016cb2d962fc227182e2</id>
<content type='text'>
commit c36f74e67fa12202dbcb4ad92c5ac844f9d36b98 upstream.

This fixes corrupted CIPSO packets when SELinux categories greater than 127
are used.  The bug occured on the second (and later) loops through the
while; the inner for loop through the ebitmap-&gt;maps array used the same
index as the NetLabel catmap-&gt;bitmap array, even though the NetLabel bitmap
is twice as long as the SELinux bitmap.

Signed-off-by: Joshua Roys &lt;joshua.roys@gtri.gatech.edu&gt;
Acked-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>SECURITY: selinux, fix update_rlimit_cpu parameter</title>
<updated>2010-02-09T12:50:53Z</updated>
<author>
<name>Jiri Slaby</name>
<email>jirislaby@gmail.com</email>
</author>
<published>2009-08-28T08:47:16Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6db6aced4d9eb83872d6b63dfd95e3c9d2de37c2'/>
<id>urn:sha1:6db6aced4d9eb83872d6b63dfd95e3c9d2de37c2</id>
<content type='text'>
commit 17740d89785aeb4143770923d67c293849414710 upstream.

Don't pass current RLIMIT_RTTIME to update_rlimit_cpu() in
selinux_bprm_committing_creds, since update_rlimit_cpu expects
RLIMIT_CPU limit.

Use proper rlim[RLIMIT_CPU].rlim_cur instead to fix that.

Signed-off-by: Jiri Slaby &lt;jirislaby@gmail.com&gt;
Acked-by: James Morris &lt;jmorris@namei.org&gt;
Cc: Stephen Smalley &lt;sds@tycho.nsa.gov&gt;
Cc: Eric Paris &lt;eparis@parisplace.org&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
