Bug 188466
Summary: | CVE-2006-1522 DoS/bug in keyring code (security/keys/) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Marcel Holtmann <holtmann> |
Component: | kernel | Assignee: | David Howells <dhowells> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | security-response-team, vanhoof |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | impact=important,source=secalert,reported=20060407,embargo=yes,public=20060410 | ||
Fixed In Version: | RHSA-2006-0493 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-24 09:29:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcel Holtmann
2006-04-10 11:39:34 UTC
Analysis from Daniel Wachdorf (who reported this problem): My understanding of the code indicates - the problem is that the kernel doesn't check to ensure that the keyring to attach the current key to is a keyring and not a user key. The function key_create_or_update makes the assumption that the provided user keyid (keyring_ref) is of type keyring and not user. Thus, it calls __keyring_search_one and passes the keyring_ref. Given that the key is a user keytype and not keyring, the dereference (rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access. Patch for the mainline kernel is available from Linus' public tree: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e committed in stream U4 build 34.16. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0493.html |