David Howells 67fbe958a5 KEYS: Fix race between read and revoke ... commit b4a1b4f504 upstream. This fixes CVE-2015-7550. There's a race between keyctl_read() and keyctl_revoke(). If the revoke happens between keyctl_read() checking the validity of a key and the key's semaphore being taken, then the key type read method will see a revoked key. This causes a problem for the user-defined key type because it assumes in its read method that there will always be a payload in a non-revoked key and doesn't check for a NULL pointer. Fix this by making keyctl_read() check the validity of a key after taking semaphore instead of before. I think the bug was introduced with the original keyrings code. This was discovered by a multithreaded test program generated by syzkaller (http://github.com/google/syzkaller). Here's a cleaned up version: #include <sys/types.h> #include <keyutils.h> #include <pthread.h> void *thr0(void *arg) { key_serial_t key = (unsigned long)arg; keyctl_revoke(key); return 0; } void *thr1(void *arg) { key_serial_t key = (unsigned long)arg; char buffer[16]; keyctl_read(key, buffer, 16); return 0; } int main() { key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); pthread_t th[5]; pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); pthread_join(th[0], 0); pthread_join(th[1], 0); pthread_join(th[2], 0); pthread_join(th[3], 0); return 0; } Build as: cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread Run as: while keyctl-race; do :; done as it may need several iterations to crash the kernel. The crash can be summarised as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [<ffffffff81279b08>] user_read+0x56/0xa3 ... Call Trace: [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: James Morris <james.l.morris@oracle.com> [bwh: Backported to 2.6.32: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Willy Tarreau <w@1wt.eu>		2016-01-29 22:12:41 +01:00
..
integrity/ima	ima: free duplicate measurement memory	2012-01-25 13:53:20 -08:00
keys	KEYS: Fix race between read and revoke	2016-01-29 22:12:41 +01:00
selinux	SELinux: Fix kernel BUG on empty security contexts.	2014-05-19 07:54:36 +02:00
smack	seq_file: constify seq_operations	2009-09-23 07:39:29 -07:00
tomoyo	KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]	2009-09-02 21:29:22 +10:00
capability.c	LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.	2009-09-10 10:11:24 +10:00
commoncap.c	security: fix compile error in commoncap.c	2012-10-07 23:37:27 +02:00
device_cgroup.c	cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time	2009-09-24 07:20:58 -07:00
inode.c	security: testing the wrong variable in create_by_name()	2010-05-12 14:57:14 -07:00
Kconfig	Merge commit 'v2.6.31-rc8' into x86/txt	2009-09-02 08:17:56 +02:00
lsm_audit.c	lsm: Use a compressed IPv6 string format in audit events	2009-09-24 03:50:26 -04:00
Makefile	NOMMU: Optimise away the {dac_,}mmap_min_addr tests	2010-01-06 15:04:30 -08:00
min_addr.c	mmap_min_addr check CAP_SYS_RAWIO only for write	2010-05-26 14:29:21 -07:00
root_plug.c	rootplug: Remove redundant initialization.	2009-05-27 13:30:46 +10:00
security.c	security: add cred argument to security_capable()	2015-12-06 00:49:09 +01:00