Bug 171835 - stray pointer dereference if modsign check fails
Summary: stray pointer dereference if modsign check fails
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Howells
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-26 21:07 UTC by Valdis Kletnieks
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-11-23 06:07:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Return NULL if public key not found (283 bytes, patch)
2005-10-26 21:07 UTC, Valdis Kletnieks
no flags Details | Diff
Return NULL if public key not found (298 bytes, patch)
2005-11-22 16:25 UTC, David Howells
no flags Details | Diff

Description Valdis Kletnieks 2005-10-26 21:07:50 UTC
Description of problem:
in crypto/signature/ksign.c, ksign_signature_check() checks if the
return value of ksign_get_public_key() was null.  Unfortunately, it is
possible for ksign_get_public_key() to return a bogus non-null pointer if
the key is not actually found.  This results in (at best) a 'atomic counter
underflow' complaint from ksign_put_public_key (because it dereferences
pk->count), and at worst locking failures and similar


Version-Release number of selected component (if applicable):
2.6.13-1.1627_FC5

How reproducible:
Attempt to modprobe a module that is signed with a key other than the one that's
in crypto/signatures/key.h

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Patch to make ksign_get_public_key() to behave nicely attached....

Comment 1 Valdis Kletnieks 2005-10-26 21:07:50 UTC
Created attachment 120434 [details]
Return NULL if public key not found

Comment 2 David Howells 2005-11-22 16:24:23 UTC
The patch is slightly more complicated than is necessary. Just setting pk to 
NULL between the end of the loop and the "found" label is sufficient. If a 
match is made, then the goto will skip the clearance. 

Comment 3 David Howells 2005-11-22 16:25:50 UTC
Created attachment 121360 [details]
Return NULL if public key not found

Comment 4 Dave Jones 2005-11-23 06:07:38 UTC
merged in cvs. built for rawhide, should go out in the first post-test1 push 

(also available from http://people.redhat.com/davej/kernels/Fedora/devel/


Note You need to log in before you can comment on or make changes to this bug.