From 4272044bc9dfe653e10ad18ff85b861e7af96593 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 27 Jul 2015 18:12:37 +0000 Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) svn path=/dists/trunk/linux/; revision=22862 --- debian/changelog | 1 + ...he-assoc-array-edit-if-edit-is-valid.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 41 insertions(+) create mode 100644 debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch diff --git a/debian/changelog b/debian/changelog index f6f9004dc..2f392a258 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ linux (4.1.3-1~exp1) UNRELEASED; urgency=medium modules, to reduce kernel image size (fixes FTBFS) * debian/rules.real: Use dpkg-parsechangelog -S * [rt] Update to 4.1.3-rt3 and re-enable + * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333) [ Ian Campbell ] * [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin. diff --git a/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch b/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch new file mode 100644 index 000000000..2eff4b90f --- /dev/null +++ b/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch @@ -0,0 +1,39 @@ +From: Colin Ian King +Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid +Origin: https://marc.info/?l=oss-security&m=143800676725867&w=2 + +__key_link_end is not freeing the associated array edit structure +and this leads to a 512 byte memory leak each time an identical +existing key is added with add_key(). + +The reason the add_key() system call returns okay is that +key_create_or_update() calls __key_link_begin() before checking to see +whether it can update a key directly rather than adding/replacing - which +it turns out it can. Thus __key_link() is not called through +__key_instantiate_and_link() and __key_link_end() must cancel the edit. + +CVE-2015-1333 + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +--- + +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index e72548b5897e..d33437007ad2 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring, + if (index_key->type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + +- if (edit && !edit->dead_leaf) { +- key_payload_reserve(keyring, +- keyring->datalen - KEYQUOTA_LINK_BYTES); ++ if (edit) { ++ if (!edit->dead_leaf) { ++ key_payload_reserve(keyring, ++ keyring->datalen - KEYQUOTA_LINK_BYTES); ++ } + assoc_array_cancel_edit(edit); + } + up_write(&keyring->sem); diff --git a/debian/patches/series b/debian/patches/series index 4cc111c4e..67b34c4e7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -87,3 +87,4 @@ bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch +bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch