Bug 164989 - CAN-2005-2099 Destruction of failed keyring oopses
CAN-2005-2099 Destruction of failed keyring oopses
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Howells
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-03 07:05 EDT by David Howells
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-29 09:23:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix destruction of uninstantiated keyrings (505 bytes, patch)
2005-08-03 07:07 EDT, David Howells
no flags Details | Diff

  None (edit)
Description David Howells 2005-08-03 07:05:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
This was found on RHEL-4-pre-U2 and patched there before U2 was frozen. 
  
If a keyring is not fully instantiated when it is destroyed, the kernel will   
oops when it tries to unlink the keyring name from the name list.   
   
The problem occurs in three stages:   
   
 (1) The key allocator initialises the type-specific data to all zeroes. In   
     the case of a keyring, this will become a link in the keyring name list   
     when the keyring is instantiated.   
   
 (2) If a user (any user) attempts to add a keyring with anything other than   
     an empty payload, the keyring instantiation function will fail with an   
     error and won't add the keyring to the name list.   
   
 (3) The keyring's destructor then sees that the keyring has a description   
     (name) and tries to remove the keyring from the name list, which oopses   
     because the link pointers are both zero.   
   

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.keyctl add keyring a a @p   

Actual Results:  It oopses on a NULL pointer dereference. 

Expected Results:  It should get EINVAL. 

Additional info:
Comment 1 David Howells 2005-08-03 07:07:59 EDT
Created attachment 117397 [details]
Fix destruction of uninstantiated keyrings

The attached patch fixes destruction of uninstantiated keyrings.
Comment 3 Mark J. Cox (Product Security) 2005-08-10 07:55:49 EDT
We sent this to security@kernel.org on 20050803 and it was fixed upstream 20050804
http://linux.bkbits.net:8080/linux-2.6/cset@42f276630QbcBD4i-OfNI6BXaPLWPg
Comment 4 Dave Jones 2005-08-26 18:09:49 EDT
Is fixed in current updates-testing kernel, will go live soon.
Comment 5 Mark J. Cox (Product Security) 2005-08-29 09:23:24 EDT
         FC3        fixed 2.6.12.5 FEDORA-2005-821 [#164989:CLOSED]
         FC4        fixed 2.6.12.5 FEDORA-2005-820 [#164989:CLOSED]

Note You need to log in before you can comment on or make changes to this bug.