Bug 627440 (CVE-2010-2960)
Summary: | CVE-2010-2960 keyctl_session_to_parent NULL deref system crash | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
Component: | vulnerability | Assignee: | Nobody <nobody> | ||||||
Status: | ASSIGNED --- | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | arozansk, bhu, dhowells, jkacur, lgoncalv, peterm, williams | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | Type: | --- | |||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 627807, 627808 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2010-08-26 03:07:46 UTC
This bit in keyctl_session_to_parent(): /* the keyrings must have the same UID */ if (pcred->tgcred->session_keyring->uid != mycred->euid || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted; is the problem. It assumes that the parent has a session keyring, which it may not, especially if pam_keyinit hasn't been invoked during the login procedure. Created attachment 441164 [details]
Fix missing RCU read lock in keyctl_session_to_parent()
This patch fixes a missing RCU lock, but doesn't actually fix the bug.
Created attachment 441165 [details]
Make a check of the parent session keyring's UID conditional
The check of the parent's session keyring's UID should be conditional on the parent actually having a session keyring. This is the fix for the reported bug.
Acknowledgements: Red Hat would like to thank Tavis Ormandy for reporting this issue. Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG as it did not include upstream commit ee18d64c that introduced the problem. Pushed the patches to Linus. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14 "KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()" http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376 "KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring" |