+++ This bug was initially created as a clone of Bug #164989 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko) Description of problem: This was found on RHEL-4-pre-U2 and patched there before U2 was frozen. If a keyring is not fully instantiated when it is destroyed, the kernel will oops when it tries to unlink the keyring name from the name list. The problem occurs in three stages: (1) The key allocator initialises the type-specific data to all zeroes. In the case of a keyring, this will become a link in the keyring name list when the keyring is instantiated. (2) If a user (any user) attempts to add a keyring with anything other than an empty payload, the keyring instantiation function will fail with an error and won't add the keyring to the name list. (3) The keyring's destructor then sees that the keyring has a description (name) and tries to remove the keyring from the name list, which oopses because the link pointers are both zero. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.keyctl add keyring a a @p Actual Results: It oopses on a NULL pointer dereference. Expected Results: It should get EINVAL. Additional info: This bug is already fixed in RHEL-4 U2.
We sent this to security on 20050803 and it was fixed upstream 20050804 http://linux.bkbits.net:8080/linux-2.6/cset@42f276630QbcBD4i-OfNI6BXaPLWPg
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html