Bug 164991 - CAN-2005-2099 Destruction of failed keyring oopses
CAN-2005-2099 Destruction of failed keyring oopses
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: David Howells
Brian Brock
: Security
Depends On:
Blocks: 156322
  Show dependency treegraph
Reported: 2005-08-03 07:38 EDT by David Howells
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-05 09:48:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 00:00:00 EDT

  None (edit)
Description David Howells 2005-08-03 07:38:56 EDT
+++ This bug was initially created as a clone of Bug #164989 +++ 
From Bugzilla Helper: 
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like 
Description of problem: 
This was found on RHEL-4-pre-U2 and patched there before U2 was frozen.  
If a keyring is not fully instantiated when it is destroyed, the kernel will    
oops when it tries to unlink the keyring name from the name list.    
The problem occurs in three stages:    
 (1) The key allocator initialises the type-specific data to all zeroes. In    
     the case of a keyring, this will become a link in the keyring name list    
     when the keyring is instantiated.    
 (2) If a user (any user) attempts to add a keyring with anything other than    
     an empty payload, the keyring instantiation function will fail with an    
     error and won't add the keyring to the name list.    
 (3) The keyring's destructor then sees that the keyring has a description    
     (name) and tries to remove the keyring from the name list, which oopses    
     because the link pointers are both zero.    
Version-Release number of selected component (if applicable): 
How reproducible: 
Steps to Reproduce: 
1.keyctl add keyring a a @p    
Actual Results:  It oopses on a NULL pointer dereference.  
Expected Results:  It should get EINVAL.  
Additional info: 
This bug is already fixed in RHEL-4 U2.
Comment 1 Mark J. Cox 2005-08-10 07:56:49 EDT
We sent this to security@kernel.org on 20050803 and it was fixed upstream 20050804
Comment 3 Red Hat Bugzilla 2005-10-05 09:48:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.