Bug 164979

Summary: CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned
Product: Red Hat Enterprise Linux 4 Reporter: David Howells <dhowells>
Component: kernelAssignee: David Howells <dhowells>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=redhat,reported=20050803,public=20050804,impact=important
Fixed In Version: RHSA-2005-514 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 13:48:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 156322, 164988    
Attachments:
Description Flags
Key management session error handling bugfix none

Description David Howells 2005-08-03 10:15:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
If a request is made to join a named session keyring, but that keyring does 
not exist, then if the syscall fails to allocate a keyring it'll return an 
error without dropping the semaphore it was holding. 
 
This can only be encountered in a few ways: ENOMEM, key quota full, empty 
keyring name or keyring name too long; most of which are unlikely, 

Version-Release number of selected component (if applicable):
kernel-2.6.9-11.38.EL

How reproducible:
Always

Steps to Reproduce:
1. keyctl session "" /bin/true   
2. Any valid keyctl session command 
   

Actual Results:  Command (2) hangs in the D state. 

Expected Results:  Command (2) should exit with an error or go into the new session as 
appropriate. 

Additional info:

Any user can use this command. Whilst the keyctl program could be made to 
validate the argument to prevent accidental incurment, it's still possible to 
suffer from ENOMEM and EDQUOT errors, and it's possible to bypass keyctl 
entirely and invoke the keyctl() system call directly.

Comment 1 David Howells 2005-08-03 10:20:18 UTC
Created attachment 117393 [details]
Key management session error handling bugfix

This patch makes the KEYCTL_JOIN_SESSION_KEYRING error handling always release
the semaphore

Comment 2 Mark J. Cox 2005-08-03 10:39:52 UTC
Easy unprivileged user DoS, so CAN-2005-2098

Comment 6 Mark J. Cox 2005-08-10 11:57:49 UTC
We sent this to security on 20050803 and it was fixed upstream 20050804
http://linux.bkbits.net:8080/linux-2.6/cset@42f27662eQX0eDgsMgMAQb3H52ljWA

Comment 8 Red Hat Bugzilla 2005-10-05 13:48:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html