Bug 1272172 - Using request_key() or keyctl request2 to get a kernel causes the key garbage collector to crash
Using request_key() or keyctl request2 to get a kernel causes the key garbage...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
22
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2015-7872 1273463 1273465
  Show dependency treegraph
 
Reported: 2015-10-15 12:04 EDT by David Howells
Modified: 2016-11-08 11:16 EST (History)
9 users (show)

See Also:
Fixed In Version: kernel-4.1.12-101.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1273463 1273465 (view as bug list)
Environment:
Last Closed: 2015-11-12 21:51:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Howells 2015-10-15 12:04:16 EDT
Description of problem:

This command sequence:

    i=`keyctl add user a a @s`
    keyctl request2 keyring foo bar @t
    keyctl unlink $i @s

Will cause the keyrings garbage collector to crash because the keyring_destroy() function sees the cached error code in the key as a pointer to its name, resulting in an oops that looks like the following.  Note the value in RAX that is -ENOKEY as a 32-bit value.

BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
PGD 0 
Oops: 0002 [#1] SMP 
Modules linked in:
CPU: 0 PID: 1201 Comm: kworker/0:2 Tainted: G        W       4.3.0-rc2-fsdevel #456
Hardware name:                  /DG965RY, BIOS MQ96510J.86A.0816.2006.0716.2308 07/16/2006
Workqueue: events key_garbage_collector
task: ffff88003bfc6200 ti: ffff88003e2f0000 task.ti: ffff88003e2f0000
RIP: 0010:[<ffffffff8126e051>]  [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
FS:  0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
Stack:
 ffff88003bf1a908 ffff88003e2f3d58 ffffffff8126c756 00000000561fc960
 7fffffffffffffff ffff88003e2f3da0 ffffffff8126ca71 ffff88003bf1a400
 ffff88003e1fd4c0 ffff88003e2f3cd0 ffffffff81a73720 ffff88003da14f80
Call Trace:
 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
 [<ffffffff810648ad>] kthread+0xf3/0xfb
 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2


Version-Release number of selected component (if applicable):

Anything since v2.6.39-rc1.
Comment 1 Josh Boyer 2015-10-19 08:40:39 EDT
I've added the two patches David has authored to fix this issue to all branches in Fedora git.
Comment 4 Josh Boyer 2015-10-20 08:52:58 EDT
Yep, the ones that David pointed to in comment #3.
Comment 5 Fedora Update System 2015-10-28 10:06:50 EDT
kernel-4.1.12-100.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-fe9a93653f
Comment 6 Fedora Update System 2015-10-28 15:12:44 EDT
kernel-4.1.12-101.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070
Comment 7 Fedora Update System 2015-11-01 21:54:57 EST
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kernel'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0253d1f070
Comment 8 Fedora Update System 2015-11-12 21:51:02 EST
kernel-4.1.12-101.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.