Bug 188466 - CVE-2006-1522 DoS/bug in keyring code (security/keys/)
CVE-2006-1522 DoS/bug in keyring code (security/keys/)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: David Howells
Brian Brock
impact=important,source=secalert,repo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-10 07:39 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-24 05:29:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-04-10 07:39:34 EDT
There is a bug in the keyring code by which user can cause an invalid memory
reference and OOPS the kernel. I have verified it against 2.6.16.1 and it looks
like its still in 2.6.17-rc1. This can allow any user to oops the kernel and DOS
the machine.

The bug exists in the sys_add_key function of the key (keyring) code. The code
can easily be demonstrated by using the userland keyctl tool. Simply by creating
a user key then adding another key to that user key:

[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
[testing@host tmp]$ keyctl add user key-name key-val @s
41
[testing@host tmp]$ keyctl show
Session Keyring
-3 lswrv---------- 500 -1 keyring: _uid_ses.500
40 lswrv---------- 500 -1 \_ keyring: _uid.500
41 lswrv---------- 500 500 \_ user: key-name
[testing@drwlinux tmp]$ keyctl add user crash-me foobar 41
Segmentation fault
Comment 1 Marcel Holtmann 2006-04-10 07:44:38 EDT
Analysis from Daniel Wachdorf (who reported this problem):

My understanding of the code indicates - the problem is that the kernel doesn't
check to ensure that the keyring to attach the current key to is a keyring and
not a user key. The function key_create_or_update makes the assumption that the
provided user keyid (keyring_ref) is of type keyring and not user. Thus, it
calls __keyring_search_one and passes the keyring_ref. Given that the key is a
user keytype and not keyring, the dereference
(rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access.
Comment 3 Marcel Holtmann 2006-04-10 13:02:23 EDT
Patch for the mainline kernel is available from Linus' public tree:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e
Comment 4 Jason Baron 2006-04-11 12:18:46 EDT
committed in stream U4 build 34.16. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 9 Red Hat Bugzilla 2006-05-24 05:29:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html

Note You need to log in before you can comment on or make changes to this bug.