keyctl_session_to_parent(task) sets ->replacement_session_keyring, it should be processed and cleared by key_replace_session_keyring(). However, this task can fork before it notices TIF_NOTIFY_RESUME and the new child gets the bogus ->replacement_session_keyring copied by dup_task_struct(). This is obviously wrong and, if nothing else, this leads to put_cred(already_freed_cred). This causes the following panic on ppc64: Kernel panic - not syncing: CRED: put_cred_rcu() sees c0000001f41a4480 with usage -1 Call Trace: [c0000001fff53bc0] [c000000000012f04] .show_stack+0x74/0x1c0 (unreliable) [c0000001fff53c70] [c0000000005c2d18] .panic+0xb8/0x1ec [c0000001fff53d00] [c0000000000c7858] .put_cred_rcu+0x118/0x120 [c0000001fff53d80] [c000000000117708] .__rcu_process_callbacks+0x158/0x3f0 [c0000001fff53e30] [c0000000001179d4] .rcu_process_callbacks+0x34/0x70 [c0000001fff53eb0] [c00000000009cb18] .__do_softirq+0x118/0x290 [c0000001fff53f90] [c000000000031e28] .call_do_softirq+0x14/0x24 [c0000001fcf7b990] [c00000000000e700] .do_softirq+0xf0/0x110 [c0000001fcf7ba30] [c00000000009c834] .irq_exit+0xb4/0xc0 [c0000001fcf7bab0] [c00000000002e3b8] .timer_interrupt+0x108/0x160 [c0000001fcf7bb40] [c000000000003718] decrementer_common+0x118/0x180 --- Exception: 901 at .raw_local_irq_restore+0x54/0x60 LR = .cpu_idle+0x14c/0x1d0 Because powerpc does not, currently, call key_replace_session_keyring() from the TIF_NOTIFY_RESUME handler. i386, x86_64, s390 and ia64 all do call the keyrings code and so the attack window is much smaller - though still present. An unprivileged local user could use this flaw to crash the system. Introduced by: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee18d64c Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=79549c6dfda0603dba9a70a53467ce62d9335c33
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 as they did not include support for KEYCTL_SESSION_TO_PARENT keyctl IOCTL as introduced in upstream commit ee18d64c. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux MRG 2 as they already contain the fix. This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html.
Created kernel tracking bugs for this issue Affects: fedora-all [bug 838890]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html