* [security]

security-keys-destructor-oops.patch
  Fix keyring destructor
  See CAN-2005-2099
  Closes: #323039
 
* [security]
  security-keys-session-join.patch
  Fix error during session join
  See CAN-2005-2098
  Closes: #323039


svn path=/trunk/kernel/source/linux-2.6/; revision=3871

debian/changelog

@@ -1,12 +1,11 @@
 linux-2.6 (2.6.12-3) UNRELEASED; urgency=low
 
-  [ Bastian Blank ]
   * Added reference to old kernel-* package names to make
     transition a little more obvious to end users.
-    A Dan Jacobson special. Closes: #321167
+    A Dan Jacobson special. (Simon Horman) Closes: #321167
 
   * By the time this makes it into the archive, it will
-    be handling kernel-image-2.6-* packages.
+    be handling kernel-image-2.6-* packages. (Simon Horman)
     Closes: #321867
 
   * Link palinfo statically on ia64. (dann frazier) (Closes: #321885)
@@ -35,7 +34,19 @@ linux-2.6 (2.6.12-3) UNRELEASED; urgency=low
     toolchain in sid. Many thanks go to GOTO Masanori and Matthias Klose as
     well as any other who worked on the biarch toolchain to make this happen.
 
- -- Sven Luther <luther@debian.org>  Sun, 14 Aug 2005 15:21:37 +0200
+  * [security]
+    security-keys-destructor-oops.patch
+    Fix keyring destructor
+    See CAN-2005-2099 (Simon Horman)
+    Closes: #323039
+
+  * [security]
+    security-keys-session-join.patch
+    Fix error during session join
+    See CAN-2005-2098 (Simon Horman)
+    Closes: #323039
+
+ -- Simon Horman <horms@debian.org>  Mon, 15 Aug 2005 17:41:42 +0900
 
 linux-2.6 (2.6.12-2) unstable; urgency=low
 

debian/patches-debian/security-keys-destructor-oops.patch

@@ -0,0 +1,55 @@
+commit 94efe72f762e2c147d8146d637d5ece5614c8d94
+tree 002e4719541ad838342e01a5f8ff63ae0a618b29
+parent bcf945d36fa0598f41ac4ad46a9dc43135460263
+author David Howells <dhowells@redhat.com> 1123186027 -0700
+committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
+
+[PATCH] Destruction of failed keyring oopses
+
+The attached patch makes sure that a keyring that failed to instantiate
+properly is destroyed without oopsing [CAN-2005-2099].
+
+The problem occurs in three stages:
+
+ (1) The key allocator initialises the type-specific data to all zeroes. In
+     the case of a keyring, this will become a link in the keyring name list
+     when the keyring is instantiated.
+
+ (2) If a user (any user) attempts to add a keyring with anything other than
+     an empty payload, the keyring instantiation function will fail with an
+     error and won't add the keyring to the name list.
+
+ (3) The keyring's destructor then sees that the keyring has a description
+     (name) and tries to remove the keyring from the name list, which oopses
+     because the link pointers are both zero.
+
+This bug permits any user to take down a box trivially.
+
+Signed-Off-By: David Howells <dhowells@redhat.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+
+I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M	security/keys/keyring.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted  Manually deleted by subsequent user edit
+R: Revised  Manually revised by subsequent user edit
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *
+ 
+ 	if (keyring->description) {
+ 		write_lock(&keyring_name_lock);
+-		list_del(&keyring->type_data.link);
++
++		if (keyring->type_data.link.next != NULL &&
++		    !list_empty(&keyring->type_data.link))
++			list_del(&keyring->type_data.link);
++
+ 		write_unlock(&keyring_name_lock);
+ 	}
+ 

debian/patches-debian/security-keys-session-join.patch

@@ -0,0 +1,54 @@
+commit bcf945d36fa0598f41ac4ad46a9dc43135460263
+tree 7a2aa188442bf863f20055a001baf85143d7a5b9
+parent 6fb0caa42308923d9e4ed7b36ec077b97c107e24
+author David Howells <dhowells@redhat.com> 1123186026 -0700
+committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
+
+[PATCH] Error during attempt to join key management session can leave semaphore pinned
+
+The attached patch prevents an error during the key session joining operation
+from hanging future joins in the D state [CAN-2005-2098].
+
+The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING
+operation has one error path that doesn't release the session management
+semaphore. Further attempts to get the semaphore will then sleep for ever in
+the D state.
+
+This can happen in four situations, all involving an attempt to allocate a new
+session keyring:
+
+ (1) ENOMEM.
+
+ (2) The users key quota being reached.
+
+ (3) A keyring name that is an empty string.
+
+ (4) A keyring name that is too long.
+
+Any user may attempt this operation, and so any user can cause the problem to
+occur.
+
+Signed-Off-By: David Howells <dhowells@redhat.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+
+I:100644 100644 9b0369c5a223acbf951178e87ebbb0789458b507 c089f78fb94ec170dbd042f08a4a61b9915c526e M	security/keys/process_keys.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted  Manually deleted by subsequent user edit
+R: Revised  Manually revised by subsequent user edit
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -678,7 +678,7 @@ long join_session_keyring(const char *na
+ 		keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
+ 		if (IS_ERR(keyring)) {
+ 			ret = PTR_ERR(keyring);
+-			goto error;
++			goto error2;
+ 		}
+ 	}
+ 	else if (IS_ERR(keyring)) {

debian/patches-debian/series/2.6.12-3

@@ -0,0 +1,2 @@
++ security-keys-destructor-oops.patch
++ security-keys-session-join.patch