Bug 833428 (CVE-2012-2745) - CVE-2012-2745 kernel: cred: copy_process() should clear child->replacement_session_keyring
Summary: CVE-2012-2745 kernel: cred: copy_process() should clear child->replacement_se...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 827424 833433 838811 838812 838890
Blocks: 833445
TreeView+ depends on / blocked
 
Reported: 2012-06-19 13:01 UTC by Petr Matousek
Modified: 2021-02-23 14:29 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 12:44:23 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1064 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-07-10 19:22:46 UTC

Description Petr Matousek 2012-06-19 13:01:08 UTC
keyctl_session_to_parent(task) sets ->replacement_session_keyring, it should be processed and cleared by key_replace_session_keyring().

However, this task can fork before it notices TIF_NOTIFY_RESUME and the new child gets the bogus ->replacement_session_keyring copied by dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).

This causes the following panic on ppc64:
Kernel panic - not syncing: CRED: put_cred_rcu() sees c0000001f41a4480 with usage -1

Call Trace:
[c0000001fff53bc0] [c000000000012f04] .show_stack+0x74/0x1c0 (unreliable)  
[c0000001fff53c70] [c0000000005c2d18] .panic+0xb8/0x1ec
[c0000001fff53d00] [c0000000000c7858] .put_cred_rcu+0x118/0x120
[c0000001fff53d80] [c000000000117708] .__rcu_process_callbacks+0x158/0x3f0
[c0000001fff53e30] [c0000000001179d4] .rcu_process_callbacks+0x34/0x70
[c0000001fff53eb0] [c00000000009cb18] .__do_softirq+0x118/0x290
[c0000001fff53f90] [c000000000031e28] .call_do_softirq+0x14/0x24
[c0000001fcf7b990] [c00000000000e700] .do_softirq+0xf0/0x110
[c0000001fcf7ba30] [c00000000009c834] .irq_exit+0xb4/0xc0
[c0000001fcf7bab0] [c00000000002e3b8] .timer_interrupt+0x108/0x160
[c0000001fcf7bb40] [c000000000003718] decrementer_common+0x118/0x180
--- Exception: 901 at .raw_local_irq_restore+0x54/0x60
    LR = .cpu_idle+0x14c/0x1d0

Because powerpc does not, currently, call key_replace_session_keyring() from the TIF_NOTIFY_RESUME handler. i386, x86_64, s390 and ia64 all do call the keyrings code and so the attack window is much smaller - though still present.

An unprivileged local user could use this flaw to crash the system.

Introduced by:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee18d64c

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=79549c6dfda0603dba9a70a53467ce62d9335c33

Comment 4 Petr Matousek 2012-07-10 08:19:18 UTC
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red 
Hat Enterprise Linux 5 as they did not include support for 
KEYCTL_SESSION_TO_PARENT keyctl IOCTL as introduced in upstream commit ee18d64c. 
This issue did not affect the versions of the Linux kernel as shipped with Red 
Hat Enterprise Linux MRG 2 as they already contain the fix.

This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html.

Comment 6 Petr Matousek 2012-07-10 11:19:01 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 838890]

Comment 7 errata-xmlrpc 2012-07-10 11:43:12 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html


Note You need to log in before you can comment on or make changes to this bug.