* [security]
security-keys-destructor-oops.patch Fix keyring destructor See CAN-2005-2099 Closes: #323039 * [security] security-keys-session-join.patch Fix error during session join See CAN-2005-2098 Closes: #323039 svn path=/trunk/kernel/source/linux-2.6/; revision=3871
This commit is contained in:
parent
fd37167417
commit
0838fb3354
|
@ -1,12 +1,11 @@
|
|||
linux-2.6 (2.6.12-3) UNRELEASED; urgency=low
|
||||
|
||||
[ Bastian Blank ]
|
||||
* Added reference to old kernel-* package names to make
|
||||
transition a little more obvious to end users.
|
||||
A Dan Jacobson special. Closes: #321167
|
||||
A Dan Jacobson special. (Simon Horman) Closes: #321167
|
||||
|
||||
* By the time this makes it into the archive, it will
|
||||
be handling kernel-image-2.6-* packages.
|
||||
be handling kernel-image-2.6-* packages. (Simon Horman)
|
||||
Closes: #321867
|
||||
|
||||
* Link palinfo statically on ia64. (dann frazier) (Closes: #321885)
|
||||
|
@ -35,7 +34,19 @@ linux-2.6 (2.6.12-3) UNRELEASED; urgency=low
|
|||
toolchain in sid. Many thanks go to GOTO Masanori and Matthias Klose as
|
||||
well as any other who worked on the biarch toolchain to make this happen.
|
||||
|
||||
-- Sven Luther <luther@debian.org> Sun, 14 Aug 2005 15:21:37 +0200
|
||||
* [security]
|
||||
security-keys-destructor-oops.patch
|
||||
Fix keyring destructor
|
||||
See CAN-2005-2099 (Simon Horman)
|
||||
Closes: #323039
|
||||
|
||||
* [security]
|
||||
security-keys-session-join.patch
|
||||
Fix error during session join
|
||||
See CAN-2005-2098 (Simon Horman)
|
||||
Closes: #323039
|
||||
|
||||
-- Simon Horman <horms@debian.org> Mon, 15 Aug 2005 17:41:42 +0900
|
||||
|
||||
linux-2.6 (2.6.12-2) unstable; urgency=low
|
||||
|
||||
|
|
|
@ -0,0 +1,55 @@
|
|||
commit 94efe72f762e2c147d8146d637d5ece5614c8d94
|
||||
tree 002e4719541ad838342e01a5f8ff63ae0a618b29
|
||||
parent bcf945d36fa0598f41ac4ad46a9dc43135460263
|
||||
author David Howells <dhowells@redhat.com> 1123186027 -0700
|
||||
committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
|
||||
|
||||
[PATCH] Destruction of failed keyring oopses
|
||||
|
||||
The attached patch makes sure that a keyring that failed to instantiate
|
||||
properly is destroyed without oopsing [CAN-2005-2099].
|
||||
|
||||
The problem occurs in three stages:
|
||||
|
||||
(1) The key allocator initialises the type-specific data to all zeroes. In
|
||||
the case of a keyring, this will become a link in the keyring name list
|
||||
when the keyring is instantiated.
|
||||
|
||||
(2) If a user (any user) attempts to add a keyring with anything other than
|
||||
an empty payload, the keyring instantiation function will fail with an
|
||||
error and won't add the keyring to the name list.
|
||||
|
||||
(3) The keyring's destructor then sees that the keyring has a description
|
||||
(name) and tries to remove the keyring from the name list, which oopses
|
||||
because the link pointers are both zero.
|
||||
|
||||
This bug permits any user to take down a box trivially.
|
||||
|
||||
Signed-Off-By: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Andrew Morton <akpm@osdl.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
||||
|
||||
I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M security/keys/keyring.c
|
||||
|
||||
Key:
|
||||
S: Skipped
|
||||
I: Included Included verbatim
|
||||
D: Deleted Manually deleted by subsequent user edit
|
||||
R: Revised Manually revised by subsequent user edit
|
||||
|
||||
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
|
||||
--- a/security/keys/keyring.c
|
||||
+++ b/security/keys/keyring.c
|
||||
@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *
|
||||
|
||||
if (keyring->description) {
|
||||
write_lock(&keyring_name_lock);
|
||||
- list_del(&keyring->type_data.link);
|
||||
+
|
||||
+ if (keyring->type_data.link.next != NULL &&
|
||||
+ !list_empty(&keyring->type_data.link))
|
||||
+ list_del(&keyring->type_data.link);
|
||||
+
|
||||
write_unlock(&keyring_name_lock);
|
||||
}
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
commit bcf945d36fa0598f41ac4ad46a9dc43135460263
|
||||
tree 7a2aa188442bf863f20055a001baf85143d7a5b9
|
||||
parent 6fb0caa42308923d9e4ed7b36ec077b97c107e24
|
||||
author David Howells <dhowells@redhat.com> 1123186026 -0700
|
||||
committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
|
||||
|
||||
[PATCH] Error during attempt to join key management session can leave semaphore pinned
|
||||
|
||||
The attached patch prevents an error during the key session joining operation
|
||||
from hanging future joins in the D state [CAN-2005-2098].
|
||||
|
||||
The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING
|
||||
operation has one error path that doesn't release the session management
|
||||
semaphore. Further attempts to get the semaphore will then sleep for ever in
|
||||
the D state.
|
||||
|
||||
This can happen in four situations, all involving an attempt to allocate a new
|
||||
session keyring:
|
||||
|
||||
(1) ENOMEM.
|
||||
|
||||
(2) The users key quota being reached.
|
||||
|
||||
(3) A keyring name that is an empty string.
|
||||
|
||||
(4) A keyring name that is too long.
|
||||
|
||||
Any user may attempt this operation, and so any user can cause the problem to
|
||||
occur.
|
||||
|
||||
Signed-Off-By: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Andrew Morton <akpm@osdl.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
||||
|
||||
I:100644 100644 9b0369c5a223acbf951178e87ebbb0789458b507 c089f78fb94ec170dbd042f08a4a61b9915c526e M security/keys/process_keys.c
|
||||
|
||||
Key:
|
||||
S: Skipped
|
||||
I: Included Included verbatim
|
||||
D: Deleted Manually deleted by subsequent user edit
|
||||
R: Revised Manually revised by subsequent user edit
|
||||
|
||||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
||||
--- a/security/keys/process_keys.c
|
||||
+++ b/security/keys/process_keys.c
|
||||
@@ -678,7 +678,7 @@ long join_session_keyring(const char *na
|
||||
keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
|
||||
if (IS_ERR(keyring)) {
|
||||
ret = PTR_ERR(keyring);
|
||||
- goto error;
|
||||
+ goto error2;
|
||||
}
|
||||
}
|
||||
else if (IS_ERR(keyring)) {
|
|
@ -0,0 +1,2 @@
|
|||
+ security-keys-destructor-oops.patch
|
||||
+ security-keys-session-join.patch
|
Loading…
Reference in New Issue