diff --git a/debian/changelog b/debian/changelog index ce4076cb2..2ec2724d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -325,6 +325,8 @@ linux (4.9.24-1) UNRELEASED; urgency=medium - rtmutex: Provide rt_mutex_lock_state() - rtmutex: Provide locked slowpath - rwsem/rt: Lift single reader restriction + * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings + (CVE-2016-9604) [ Salvatore Bonaccorso ] * ping: implement proper locking (CVE-2017-2671) diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch new file mode 100644 index 000000000..2ce00557f --- /dev/null +++ b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch @@ -0,0 +1,76 @@ +From: David Howells +Date: Tue, 18 Apr 2017 15:31:07 +0100 +Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session + keyrings +Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604 + +This fixes CVE-2016-9604. + +Keyrings whose name begin with a '.' are special internal keyrings and so +userspace isn't allowed to create keyrings by this name to prevent +shadowing. However, the patch that added the guard didn't fix +KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings, +it can also subscribe to them as a session keyring if they grant SEARCH +permission to the user. + +This, for example, allows a root process to set .builtin_trusted_keys as +its session keyring, at which point it has full access because now the +possessor permissions are added. This permits root to add extra public +keys, thereby bypassing module verification. + +This also affects kexec and IMA. + +This can be tested by (as root): + + keyctl session .builtin_trusted_keys + keyctl add user a a @s + keyctl list @s + +which on my test box gives me: + + 2 keys in keyring: + 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05 + 801382539: --alswrv 0 0 user: a + + +Fix this by rejecting names beginning with a '.' in the keyctl. + +Signed-off-by: David Howells +Acked-by: Mimi Zohar +cc: linux-ima-devel@lists.sourceforge.net +cc: stable@vger.kernel.org +--- + security/keys/keyctl.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -271,7 +271,8 @@ error: + * Create and join an anonymous session keyring or join a named session + * keyring, creating it if necessary. A named session keyring must have Search + * permission for it to be joined. Session keyrings without this permit will +- * be skipped over. ++ * be skipped over. It is not permitted for userspace to create or join ++ * keyrings whose name begin with a dot. + * + * If successful, the ID of the joined session keyring will be returned. + */ +@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const c + ret = PTR_ERR(name); + goto error; + } ++ ++ ret = -EPERM; ++ if (name[0] == '.') ++ goto error_name; + } + + /* join the session */ + ret = join_session_keyring(name); ++error_name: + kfree(name); +- + error: + return ret; + } diff --git a/debian/patches/series b/debian/patches/series index cc1800bfe..81c50d2a8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -108,6 +108,7 @@ debian/time-mark-timer_stats-as-broken.patch bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch bugfix/all/ping-implement-proper-locking.patch +bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch