diff options
author | dann frazier <dannf@debian.org> | 2007-03-16 23:17:54 +0000 |
---|---|---|
committer | dann frazier <dannf@debian.org> | 2007-03-16 23:17:54 +0000 |
commit | 85b9777b7df8496d10cb37bb354f3dfeadc46998 (patch) | |
tree | 65fafdbe4d2444f454b49142ad0431eb335a3b33 | |
parent | 9fdde275ce1c9af63a13e6a6e64908a481ce2fd9 (diff) | |
download | kernel_replicant_linux-85b9777b7df8496d10cb37bb354f3dfeadc46998.tar.gz kernel_replicant_linux-85b9777b7df8496d10cb37bb354f3dfeadc46998.tar.bz2 kernel_replicant_linux-85b9777b7df8496d10cb37bb354f3dfeadc46998.zip |
* keys-serial-num-collision.patch
[SECURITY] Fix the key serial number collision avoidance code in
key_alloc_serial() that could lead to a local DoS (oops).
(closes: #398470)
See CVE-2007-0006
svn path=/dists/etch-security/linux-2.6/; revision=8368
-rw-r--r-- | debian/changelog | 10 | ||||
-rw-r--r-- | debian/patches/bugfix/keys-serial-num-collision.patch | 92 | ||||
-rw-r--r-- | debian/patches/series/11etch1 | 1 |
3 files changed, 103 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index c348d4d2681b..9eaec51fe819 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +linux-2.6 (2.6.18.dfsg.1-11etch1) UNRELEASED; urgency=high + + * keys-serial-num-collision.patch + [SECURITY] Fix the key serial number collision avoidance code in + key_alloc_serial() that could lead to a local DoS (oops). + (closes: #398470) + See CVE-2007-0006 + + -- dann frazier <dannf@debian.org> Fri, 16 Mar 2007 17:15:06 -0600 + linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low [ Jurij Smakov ] diff --git a/debian/patches/bugfix/keys-serial-num-collision.patch b/debian/patches/bugfix/keys-serial-num-collision.patch new file mode 100644 index 000000000000..98759002de0b --- /dev/null +++ b/debian/patches/bugfix/keys-serial-num-collision.patch @@ -0,0 +1,92 @@ +From: David Howells <dhowells@redhat.com> +Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000) +Subject: [PATCH] Keys: Fix key serial number collision handling +X-Git-Tag: v2.6.21-rc2~42^2~22 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4 + +[PATCH] Keys: Fix key serial number collision handling + +Fix the key serial number collision avoidance code in key_alloc_serial(). + +This didn't use to be so much of a problem as the key serial numbers were +allocated from a simple incremental counter, and it would have to go through +two billion keys before it could possibly encounter a collision. However, now +that random numbers are used instead, collisions are much more likely. + +This is fixed by finding a hole in the rbtree where the next unused serial +number ought to be and using that by going almost back to the top of the +insertion routine and redoing the insertion with the new serial number rather +than trying to be clever and attempting to work out the insertion point +pointer directly. + +This fixes kernel BZ #7727. + +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/security/keys/key.c b/security/keys/key.c +index ac9326c..700400d 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key) + + spin_lock(&key_serial_lock); + ++attempt_insertion: + parent = NULL; + p = &key_serial_tree.rb_node; + +@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key) + else + goto serial_exists; + } +- goto insert_here; ++ ++ /* we've found a suitable hole - arrange for this key to occupy it */ ++ rb_link_node(&key->serial_node, parent, p); ++ rb_insert_color(&key->serial_node, &key_serial_tree); ++ ++ spin_unlock(&key_serial_lock); ++ return; + + /* we found a key with the proposed serial number - walk the tree from + * that point looking for the next unused serial number */ + serial_exists: + for (;;) { + key->serial++; +- if (key->serial < 2) +- key->serial = 2; +- +- if (!rb_parent(parent)) +- p = &key_serial_tree.rb_node; +- else if (rb_parent(parent)->rb_left == parent) +- p = &(rb_parent(parent)->rb_left); +- else +- p = &(rb_parent(parent)->rb_right); ++ if (key->serial < 3) { ++ key->serial = 3; ++ goto attempt_insertion; ++ } + + parent = rb_next(parent); + if (!parent) +- break; ++ goto attempt_insertion; + + xkey = rb_entry(parent, struct key, serial_node); + if (key->serial < xkey->serial) +- goto insert_here; ++ goto attempt_insertion; + } + +- /* we've found a suitable hole - arrange for this key to occupy it */ +-insert_here: +- rb_link_node(&key->serial_node, parent, p); +- rb_insert_color(&key->serial_node, &key_serial_tree); +- +- spin_unlock(&key_serial_lock); +- + } /* end key_alloc_serial() */ + + /*****************************************************************************/ diff --git a/debian/patches/series/11etch1 b/debian/patches/series/11etch1 new file mode 100644 index 000000000000..90753bbf300f --- /dev/null +++ b/debian/patches/series/11etch1 @@ -0,0 +1 @@ ++ bugfix/keys-serial-num-collision.patch |