KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (CVE-2016-9604)
This commit is contained in:
parent
74fdfed494
commit
89402402c8
|
@ -325,6 +325,8 @@ linux (4.9.24-1) UNRELEASED; urgency=medium
|
|||
- rtmutex: Provide rt_mutex_lock_state()
|
||||
- rtmutex: Provide locked slowpath
|
||||
- rwsem/rt: Lift single reader restriction
|
||||
* KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
|
||||
(CVE-2016-9604)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ping: implement proper locking (CVE-2017-2671)
|
||||
|
|
76
debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
vendored
Normal file
76
debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
vendored
Normal file
|
@ -0,0 +1,76 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 18 Apr 2017 15:31:07 +0100
|
||||
Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
|
||||
keyrings
|
||||
Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
|
||||
|
||||
This fixes CVE-2016-9604.
|
||||
|
||||
Keyrings whose name begin with a '.' are special internal keyrings and so
|
||||
userspace isn't allowed to create keyrings by this name to prevent
|
||||
shadowing. However, the patch that added the guard didn't fix
|
||||
KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
|
||||
it can also subscribe to them as a session keyring if they grant SEARCH
|
||||
permission to the user.
|
||||
|
||||
This, for example, allows a root process to set .builtin_trusted_keys as
|
||||
its session keyring, at which point it has full access because now the
|
||||
possessor permissions are added. This permits root to add extra public
|
||||
keys, thereby bypassing module verification.
|
||||
|
||||
This also affects kexec and IMA.
|
||||
|
||||
This can be tested by (as root):
|
||||
|
||||
keyctl session .builtin_trusted_keys
|
||||
keyctl add user a a @s
|
||||
keyctl list @s
|
||||
|
||||
which on my test box gives me:
|
||||
|
||||
2 keys in keyring:
|
||||
180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
|
||||
801382539: --alswrv 0 0 user: a
|
||||
|
||||
|
||||
Fix this by rejecting names beginning with a '.' in the keyctl.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||||
cc: linux-ima-devel@lists.sourceforge.net
|
||||
cc: stable@vger.kernel.org
|
||||
---
|
||||
security/keys/keyctl.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -271,7 +271,8 @@ error:
|
||||
* Create and join an anonymous session keyring or join a named session
|
||||
* keyring, creating it if necessary. A named session keyring must have Search
|
||||
* permission for it to be joined. Session keyrings without this permit will
|
||||
- * be skipped over.
|
||||
+ * be skipped over. It is not permitted for userspace to create or join
|
||||
+ * keyrings whose name begin with a dot.
|
||||
*
|
||||
* If successful, the ID of the joined session keyring will be returned.
|
||||
*/
|
||||
@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const c
|
||||
ret = PTR_ERR(name);
|
||||
goto error;
|
||||
}
|
||||
+
|
||||
+ ret = -EPERM;
|
||||
+ if (name[0] == '.')
|
||||
+ goto error_name;
|
||||
}
|
||||
|
||||
/* join the session */
|
||||
ret = join_session_keyring(name);
|
||||
+error_name:
|
||||
kfree(name);
|
||||
-
|
||||
error:
|
||||
return ret;
|
||||
}
|
|
@ -108,6 +108,7 @@ debian/time-mark-timer_stats-as-broken.patch
|
|||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
|
||||
bugfix/all/ping-implement-proper-locking.patch
|
||||
bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue