diff options
author | David Howells <dhowells@redhat.com> | 2010-09-10 09:59:51 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-09-26 17:18:36 -0700 |
commit | 0f403655ecddfdb7630adbb6ba59c30cb0c541a4 (patch) | |
tree | 1b8ec60e8033e871e3f91b91d5b699abf252b805 | |
parent | 21313e0760fd268ca778f54c10b4e8f8e889c97c (diff) |
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376 upstream.
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
of the parent process's session keyring whether or not the parent has a session
keyring [CVE-2010-2960].
This results in the following oops:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
...
Call Trace:
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
if the parent process has no session keyring.
If the system is using pam_keyinit then it mostly protected against this as all
processes derived from a login will have inherited the session keyring created
by pam_keyinit during the log in procedure.
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | security/keys/keyctl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 747d8f2b5dc..e0d1e2b90a2 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void) goto not_permitted; /* the keyrings must have the same UID */ - if (pcred->tgcred->session_keyring->uid != mycred->euid || + if ((pcred->tgcred->session_keyring && + pcred->tgcred->session_keyring->uid != mycred->euid) || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted; |