From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko) Description of problem: If a request is made to join a named session keyring, but that keyring does not exist, then if the syscall fails to allocate a keyring it'll return an error without dropping the semaphore it was holding. This can only be encountered in a few ways: ENOMEM, key quota full, empty keyring name or keyring name too long; most of which are unlikely, Version-Release number of selected component (if applicable): kernel-2.6.9-11.38.EL How reproducible: Always Steps to Reproduce: 1. keyctl session "" /bin/true 2. Any valid keyctl session command Actual Results: Command (2) hangs in the D state. Expected Results: Command (2) should exit with an error or go into the new session as appropriate. Additional info: Any user can use this command. Whilst the keyctl program could be made to validate the argument to prevent accidental incurment, it's still possible to suffer from ENOMEM and EDQUOT errors, and it's possible to bypass keyctl entirely and invoke the keyctl() system call directly.
Created attachment 117393 [details] Key management session error handling bugfix This patch makes the KEYCTL_JOIN_SESSION_KEYRING error handling always release the semaphore
Easy unprivileged user DoS, so CAN-2005-2098
We sent this to security on 20050803 and it was fixed upstream 20050804 http://linux.bkbits.net:8080/linux-2.6/cset@42f27662eQX0eDgsMgMAQb3H52ljWA
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html