Bug 188466

Summary: CVE-2006-1522 DoS/bug in keyring code (security/keys/)
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: David Howells <dhowells>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team, vanhoof
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=secalert,reported=20060407,embargo=yes,public=20060410
Fixed In Version: RHSA-2006-0493 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-24 09:29:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Holtmann 2006-04-10 11:39:34 UTC 
There is a bug in the keyring code by which user can cause an invalid memory
reference and OOPS the kernel. I have verified it against 2.6.16.1 and it looks
like its still in 2.6.17-rc1. This can allow any user to oops the kernel and DOS
the machine.

The bug exists in the sys_add_key function of the key (keyring) code. The code
can easily be demonstrated by using the userland keyctl tool. Simply by creating
a user key then adding another key to that user key:

[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
[testing@host tmp]$ keyctl add user key-name key-val @s
41
[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
41 lswrv---------- 500 500 \_ user: key-name
[testing@drwlinux tmp]$ keyctl add user crash-me foobar 41
Segmentation fault
Comment 1 Marcel Holtmann 2006-04-10 11:44:38 UTC 
Analysis from Daniel Wachdorf (who reported this problem):

My understanding of the code indicates - the problem is that the kernel doesn't
check to ensure that the keyring to attach the current key to is a keyring and
not a user key. The function key_create_or_update makes the assumption that the
provided user keyid (keyring_ref) is of type keyring and not user. Thus, it
calls __keyring_search_one and passes the keyring_ref. Given that the key is a
user keytype and not keyring, the dereference
(rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access.
Comment 3 Marcel Holtmann 2006-04-10 17:02:23 UTC 
Patch for the mainline kernel is available from Linus' public tree:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e
Comment 4 Jason Baron 2006-04-11 16:18:46 UTC 
committed in stream U4 build 34.16. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Red Hat Bugzilla 2006-05-24 09:29:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html