There is a bug in the keyring code by which user can cause an invalid memory reference and OOPS the kernel. I have verified it against 2.6.16.1 and it looks like its still in 2.6.17-rc1. This can allow any user to oops the kernel and DOS the machine. The bug exists in the sys_add_key function of the key (keyring) code. The code can easily be demonstrated by using the userland keyctl tool. Simply by creating a user key then adding another key to that user key: [testing@host tmp]$ keyctl show Session Keyring -3 lswrv---------- 500 -1 keyring: _uid_ses.500 40 lswrv---------- 500 -1 \_ keyring: _uid.500 [testing@host tmp]$ keyctl add user key-name key-val @s 41 [testing@host tmp]$ keyctl show Session Keyring -3 lswrv---------- 500 -1 keyring: _uid_ses.500 40 lswrv---------- 500 -1 \_ keyring: _uid.500 41 lswrv---------- 500 500 \_ user: key-name [testing@drwlinux tmp]$ keyctl add user crash-me foobar 41 Segmentation fault
Analysis from Daniel Wachdorf (who reported this problem): My understanding of the code indicates - the problem is that the kernel doesn't check to ensure that the keyring to attach the current key to is a keyring and not a user key. The function key_create_or_update makes the assumption that the provided user keyid (keyring_ref) is of type keyring and not user. Thus, it calls __keyring_search_one and passes the keyring_ref. Given that the key is a user keytype and not keyring, the dereference (rcu_dereference(keyring->payload.subscriptions)) is an invalid memory access.
Patch for the mainline kernel is available from Linus' public tree: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e
committed in stream U4 build 34.16. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0493.html