diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2016-01-04 01:57:00 +0000 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2016-01-04 01:57:00 +0000 |
| commit | 0f11ea7f19defff0bbd8dc24042f63407bbcfbdf (patch) | |
| tree | 5ad1b3e0b586d5c7c65e73d8e91179175ead657a | |
| parent | 567f9b5f9fc7f32478573c70bf713a49bb98eb88 (diff) | |
| download | kernel_replicant_linux-0f11ea7f19defff0bbd8dc24042f63407bbcfbdf.tar.gz kernel_replicant_linux-0f11ea7f19defff0bbd8dc24042f63407bbcfbdf.tar.bz2 kernel_replicant_linux-0f11ea7f19defff0bbd8dc24042f63407bbcfbdf.zip | |
Update to 4.4-rc8
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch | 110 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 1 insertions, 112 deletions
diff --git a/debian/changelog b/debian/changelog index 722402a66313..faecfea83c8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.4~rc7-1~exp1) UNRELEASED; urgency=medium +linux (4.4~rc8-1~exp1) UNRELEASED; urgency=medium * New upstream release candidate diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch deleted file mode 100644 index e75e677303cc..000000000000 --- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: David Howells <dhowells@redhat.com> -Date: Fri, 18 Dec 2015 01:34:26 +0000 -Subject: KEYS: Fix race between read and revoke -Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d - -This fixes CVE-2015-7550. - -There's a race between keyctl_read() and keyctl_revoke(). If the revoke -happens between keyctl_read() checking the validity of a key and the key's -semaphore being taken, then the key type read method will see a revoked key. - -This causes a problem for the user-defined key type because it assumes in -its read method that there will always be a payload in a non-revoked key -and doesn't check for a NULL pointer. - -Fix this by making keyctl_read() check the validity of a key after taking -semaphore instead of before. - -I think the bug was introduced with the original keyrings code. - -This was discovered by a multithreaded test program generated by syzkaller -(http://github.com/google/syzkaller). Here's a cleaned up version: - - #include <sys/types.h> - #include <keyutils.h> - #include <pthread.h> - void *thr0(void *arg) - { - key_serial_t key = (unsigned long)arg; - keyctl_revoke(key); - return 0; - } - void *thr1(void *arg) - { - key_serial_t key = (unsigned long)arg; - char buffer[16]; - keyctl_read(key, buffer, 16); - return 0; - } - int main() - { - key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); - pthread_t th[5]; - pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); - pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); - pthread_join(th[0], 0); - pthread_join(th[1], 0); - pthread_join(th[2], 0); - pthread_join(th[3], 0); - return 0; - } - -Build as: - - cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread - -Run as: - - while keyctl-race; do :; done - -as it may need several iterations to crash the kernel. The crash can be -summarised as: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 - IP: [<ffffffff81279b08>] user_read+0x56/0xa3 - ... - Call Trace: - [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7 - [<ffffffff81277815>] SyS_keyctl+0x83/0xe0 - [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Tested-by: Dmitry Vyukov <dvyukov@google.com> -Cc: stable@vger.kernel.org -Signed-off-by: James Morris <james.l.morris@oracle.com> ---- - security/keys/keyctl.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: diff --git a/debian/patches/series b/debian/patches/series index 7239f3905544..125045fda91d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,4 +96,3 @@ features/all/grsecurity/grkernsec_perf_harden.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch -bugfix/all/keys-fix-race-between-read-and-revoke.patch |