Bug 188466 - CVE-2006-1522 DoS/bug in keyring code (security/keys/)
Summary: CVE-2006-1522 DoS/bug in keyring code (security/keys/)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: David Howells
QA Contact: Brian Brock
URL:
Whiteboard: impact=important,source=secalert,repo...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-10 11:39 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-24 09:29:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0493 0 normal SHIPPED_LIVE Important: kernel security update 2006-05-24 04:00:00 UTC

Description Marcel Holtmann 2006-04-10 11:39:34 UTC 
There is a bug in the keyring code by which user can cause an invalid memory
reference and OOPS the kernel. I have verified it against 2.6.16.1 and it looks
like its still in 2.6.17-rc1. This can allow any user to oops the kernel and DOS
the machine.

The bug exists in the sys_add_key function of the key (keyring) code. The code
can easily be demonstrated by using the userland keyctl tool. Simply by creating
a user key then adding another key to that user key:

[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
[testing@host tmp]$ keyctl add user key-name key-val @s
41
[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
41 lswrv---------- 500 500 \_ user: key-name
[testing@drwlinux tmp]$ keyctl add user crash-me foobar 41
Segmentation fault
Comment 1 Marcel Holtmann 2006-04-10 11:44:38 UTC 
Analysis from Daniel Wachdorf (who reported this problem):

My understanding of the code indicates - the problem is that the kernel doesn't
check to ensure that the keyring to attach the current key to is a keyring and
not a user key. The function key_create_or_update makes the assumption that the
provided user keyid (keyring_ref) is of type keyring and not user. Thus, it
calls __keyring_search_one and passes the keyring_ref. Given that the key is a
user keytype and not keyring, the dereference
(rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access.
Comment 3 Marcel Holtmann 2006-04-10 17:02:23 UTC 
Patch for the mainline kernel is available from Linus' public tree:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e
Comment 4 Jason Baron 2006-04-11 16:18:46 UTC 
committed in stream U4 build 34.16. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Red Hat Bugzilla 2006-05-24 09:29:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html
Note You need to log in before you can comment on or make changes to this bug.