• D
    KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring · 3d96406c
    David Howells 提交于
    Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
    of the parent process's session keyring whether or not the parent has a session
    keyring [CVE-2010-2960].
    
    This results in the following oops:
    
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
      ...
      Call Trace:
       [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
       [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
       [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
    
    if the parent process has no session keyring.
    
    If the system is using pam_keyinit then it mostly protected against this as all
    processes derived from a login will have inherited the session keyring created
    by pam_keyinit during the log in procedure.
    
    To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
    Reported-by: NTavis Ormandy <taviso@cmpxchg8b.com>
    Signed-off-by: NDavid Howells <dhowells@redhat.com>
    Acked-by: NTavis Ormandy <taviso@cmpxchg8b.com>
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    3d96406c
keyctl.c 33.4 KB