Bug 171835 - stray pointer dereference if modsign check fails
stray pointer dereference if modsign check fails
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Howells
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-26 17:07 EDT by Valdis Kletnieks
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-23 01:07:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Return NULL if public key not found (283 bytes, patch)
2005-10-26 17:07 EDT, Valdis Kletnieks
no flags Details | Diff
Return NULL if public key not found (298 bytes, patch)
2005-11-22 11:25 EST, David Howells
no flags Details | Diff

  None (edit)
Description Valdis Kletnieks 2005-10-26 17:07:50 EDT
Description of problem:
in crypto/signature/ksign.c, ksign_signature_check() checks if the
return value of ksign_get_public_key() was null.  Unfortunately, it is
possible for ksign_get_public_key() to return a bogus non-null pointer if
the key is not actually found.  This results in (at best) a 'atomic counter
underflow' complaint from ksign_put_public_key (because it dereferences
pk->count), and at worst locking failures and similar


Version-Release number of selected component (if applicable):
2.6.13-1.1627_FC5

How reproducible:
Attempt to modprobe a module that is signed with a key other than the one that's
in crypto/signatures/key.h

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Patch to make ksign_get_public_key() to behave nicely attached....
Comment 1 Valdis Kletnieks 2005-10-26 17:07:50 EDT
Created attachment 120434 [details]
Return NULL if public key not found
Comment 2 David Howells 2005-11-22 11:24:23 EST
The patch is slightly more complicated than is necessary. Just setting pk to 
NULL between the end of the loop and the "found" label is sufficient. If a 
match is made, then the goto will skip the clearance. 
Comment 3 David Howells 2005-11-22 11:25:50 EST
Created attachment 121360 [details]
Return NULL if public key not found
Comment 4 Dave Jones 2005-11-23 01:07:38 EST
merged in cvs. built for rawhide, should go out in the first post-test1 push 

(also available from http://people.redhat.com/davej/kernels/Fedora/devel/

Note You need to log in before you can comment on or make changes to this bug.