Bug 188466 - CVE-2006-1522 DoS/bug in keyring code (security/keys/)
CVE-2006-1522 DoS/bug in keyring code (security/keys/)
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: David Howells
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-04-10 07:39 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-24 05:29:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0493 normal SHIPPED_LIVE Important: kernel security update 2006-05-24 00:00:00 EDT

  None (edit)
Description Marcel Holtmann 2006-04-10 07:39:34 EDT
There is a bug in the keyring code by which user can cause an invalid memory
reference and OOPS the kernel. I have verified it against and it looks
like its still in 2.6.17-rc1. This can allow any user to oops the kernel and DOS
the machine.

The bug exists in the sys_add_key function of the key (keyring) code. The code
can easily be demonstrated by using the userland keyctl tool. Simply by creating
a user key then adding another key to that user key:

[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
[testing@host tmp]$ keyctl add user key-name key-val @s
[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
41 lswrv---------- 500 500 \_ user: key-name
[testing@drwlinux tmp]$ keyctl add user crash-me foobar 41
Segmentation fault
Comment 1 Marcel Holtmann 2006-04-10 07:44:38 EDT
Analysis from Daniel Wachdorf (who reported this problem):

My understanding of the code indicates - the problem is that the kernel doesn't
check to ensure that the keyring to attach the current key to is a keyring and
not a user key. The function key_create_or_update makes the assumption that the
provided user keyid (keyring_ref) is of type keyring and not user. Thus, it
calls __keyring_search_one and passes the keyring_ref. Given that the key is a
user keytype and not keyring, the dereference
(rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access.
Comment 3 Marcel Holtmann 2006-04-10 13:02:23 EDT
Patch for the mainline kernel is available from Linus' public tree:

Comment 4 Jason Baron 2006-04-11 12:18:46 EDT
committed in stream U4 build 34.16. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Red Hat Bugzilla 2006-05-24 05:29:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.