Red Hat Bugzilla – Bug 164989
CAN-2005-2099 Destruction of failed keyring oopses
Last modified: 2007-11-30 17:11:11 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)
Description of problem:
This was found on RHEL-4-pre-U2 and patched there before U2 was frozen.
If a keyring is not fully instantiated when it is destroyed, the kernel will
oops when it tries to unlink the keyring name from the name list.
The problem occurs in three stages:
(1) The key allocator initialises the type-specific data to all zeroes. In
the case of a keyring, this will become a link in the keyring name list
when the keyring is instantiated.
(2) If a user (any user) attempts to add a keyring with anything other than
an empty payload, the keyring instantiation function will fail with an
error and won't add the keyring to the name list.
(3) The keyring's destructor then sees that the keyring has a description
(name) and tries to remove the keyring from the name list, which oopses
because the link pointers are both zero.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.keyctl add keyring a a @p
Actual Results: It oopses on a NULL pointer dereference.
Expected Results: It should get EINVAL.
Created attachment 117397 [details]
Fix destruction of uninstantiated keyrings
The attached patch fixes destruction of uninstantiated keyrings.
We sent this to email@example.com on 20050803 and it was fixed upstream 20050804
Is fixed in current updates-testing kernel, will go live soon.
FC3 fixed 220.127.116.11 FEDORA-2005-821 [#164989:CLOSED]
FC4 fixed 18.104.22.168 FEDORA-2005-820 [#164989:CLOSED]