The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type. References: http://www.spinics.net/lists/keyrings/msg01846.html Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c06cfb08b88d
Created attachment 1268882 [details] Fix to rename the 'dead' type to '.dead' to make syscalls reject the name
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1471601]
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases may address this issue.
This was fixed upstream in 4.11 kernels, and backported to 4.10.13 stable series. The fix was pushed to all Fedora releases with 4.10.13 on 2017-05-04.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669