Bug 833428 - (CVE-2012-2745) CVE-2012-2745 kernel: cred: copy_process() should clear child->replacement_session_keyring
CVE-2012-2745 kernel: cred: copy_process() should clear child->replacement_se...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120710,repor...
: Security
Depends On: 827424 833433 838811 838812 838890
Blocks: 833445
  Show dependency treegraph
 
Reported: 2012-06-19 09:01 EDT by Petr Matousek
Modified: 2016-11-08 11:14 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 08:44:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-06-19 09:01:08 EDT
keyctl_session_to_parent(task) sets ->replacement_session_keyring, it should be processed and cleared by key_replace_session_keyring().

However, this task can fork before it notices TIF_NOTIFY_RESUME and the new child gets the bogus ->replacement_session_keyring copied by dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).

This causes the following panic on ppc64:
Kernel panic - not syncing: CRED: put_cred_rcu() sees c0000001f41a4480 with usage -1

Call Trace:
[c0000001fff53bc0] [c000000000012f04] .show_stack+0x74/0x1c0 (unreliable)  
[c0000001fff53c70] [c0000000005c2d18] .panic+0xb8/0x1ec
[c0000001fff53d00] [c0000000000c7858] .put_cred_rcu+0x118/0x120
[c0000001fff53d80] [c000000000117708] .__rcu_process_callbacks+0x158/0x3f0
[c0000001fff53e30] [c0000000001179d4] .rcu_process_callbacks+0x34/0x70
[c0000001fff53eb0] [c00000000009cb18] .__do_softirq+0x118/0x290
[c0000001fff53f90] [c000000000031e28] .call_do_softirq+0x14/0x24
[c0000001fcf7b990] [c00000000000e700] .do_softirq+0xf0/0x110
[c0000001fcf7ba30] [c00000000009c834] .irq_exit+0xb4/0xc0
[c0000001fcf7bab0] [c00000000002e3b8] .timer_interrupt+0x108/0x160
[c0000001fcf7bb40] [c000000000003718] decrementer_common+0x118/0x180
--- Exception: 901 at .raw_local_irq_restore+0x54/0x60
    LR = .cpu_idle+0x14c/0x1d0

Because powerpc does not, currently, call key_replace_session_keyring() from the TIF_NOTIFY_RESUME handler. i386, x86_64, s390 and ia64 all do call the keyrings code and so the attack window is much smaller - though still present.

An unprivileged local user could use this flaw to crash the system.

Introduced by:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee18d64c

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=79549c6dfda0603dba9a70a53467ce62d9335c33
Comment 4 Petr Matousek 2012-07-10 04:19:18 EDT
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red 
Hat Enterprise Linux 5 as they did not include support for 
KEYCTL_SESSION_TO_PARENT keyctl IOCTL as introduced in upstream commit ee18d64c. 
This issue did not affect the versions of the Linux kernel as shipped with Red 
Hat Enterprise Linux MRG 2 as they already contain the fix.

This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html.
Comment 6 Petr Matousek 2012-07-10 07:19:01 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 838890]
Comment 7 errata-xmlrpc 2012-07-10 07:43:12 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html

Note You need to log in before you can comment on or make changes to this bug.