Bug 1072419 (CVE-2014-0102)

Summary: CVE-2014-0102 kernel: security: keyring cycle detector DoS
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, aquini, bhu, dhoward, dhowells, esammons, fhrbata, iboverma, jkacur, jross, kernel-mgr, lgoncalv, lwang, matt, mcressma, npajkovs, pholasek, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-04 14:52:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1071346, 1071396, 1072425    
Bug Blocks: 1072464    
Attachments:
Description Flags
Upstream proposed patch none

Description Petr Matousek 2014-03-04 14:42:31 UTC 
Description of the problem:
The problem is that search_nested_keyrings() sees two keyrings that have
matching type and description, so keyring_compare_object() returns true.
s_n_k() then passes the key to the iterator function -
keyring_detect_cycle_iterator() - which *should* check to see whether this is
the keyring of interest, not just one with the same name and, leads to
BUG_ON.

An unprivileged local user could use this flaw to crash the system. 

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69

References:
https://lkml.org/lkml/2014/2/27/507
Comment 1 Petr Matousek 2014-03-04 14:50:56 UTC 
Created attachment 870451 [details]
Upstream proposed patch
Comment 3 Petr Matousek 2014-03-04 14:52:48 UTC 
Statement:

This issue did not affect the versions of Linux kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2 as they did not backport the commit that introduced this issue.
Comment 4 Petr Matousek 2014-03-04 16:58:21 UTC 
Upstream patch:

  http://www.kernelhub.org/?msg=425013&p=2