diff mbox

[Trusty,SRU] Fix CVE-2017-6951

Message ID 1503586361-23315-1-git-send-email-stefan.bader@canonical.com
State New
Headers show

Commit Message

Stefan Bader Aug. 24, 2017, 2:52 p.m. UTC
From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 18 Apr 2017 15:31:08 +0100
Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent
 user access

This fixes CVE-2017-6951.

Userspace should not be able to do things with the "dead" key type as it
doesn't have some of the helper functions set upon it that the kernel
needs.  Attempting to use it may cause the kernel to crash.

Fix this by changing the name of the type to ".dead" so that it's rejected
up front on userspace syscalls by key_get_type_from_user().

Though this doesn't seem to affect recent kernels, it does affect older
ones, certainly those prior to:

	commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
	Author: David Howells <dhowells@redhat.com>
	Date:   Tue Sep 16 17:36:06 2014 +0100
	KEYS: Remove key_type::match in favour of overriding default by match_preparse

which went in before 3.18-rc1.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org

CVE-2017-6951

(cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 Notes:
 - From how I read the comments all kernels after 3.18-rc1 were not
   affected. But even then this patch would not hurt. And it was
   indeed picked up by 4.4.y in Xenial.
 - Any kernels before 4.18-rc1 would be fixed by this patch alone
   which is much less complicated to pull backwards (still a
   cherry-pick for Trusty).
 - So beside of adding this patch for Trusty we have to update the
   cve triaging in a way that either of the two SHA1s is ok.

-Stefan

 security/keys/gc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Colin Ian King Aug. 24, 2017, 2:56 p.m. UTC | #1
On 24/08/17 15:52, Stefan Bader wrote:
> From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001
> From: David Howells <dhowells@redhat.com>
> Date: Tue, 18 Apr 2017 15:31:08 +0100
> Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent
>  user access
> 
> This fixes CVE-2017-6951.
> 
> Userspace should not be able to do things with the "dead" key type as it
> doesn't have some of the helper functions set upon it that the kernel
> needs.  Attempting to use it may cause the kernel to crash.
> 
> Fix this by changing the name of the type to ".dead" so that it's rejected
> up front on userspace syscalls by key_get_type_from_user().
> 
> Though this doesn't seem to affect recent kernels, it does affect older
> ones, certainly those prior to:
> 
> 	commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
> 	Author: David Howells <dhowells@redhat.com>
> 	Date:   Tue Sep 16 17:36:06 2014 +0100
> 	KEYS: Remove key_type::match in favour of overriding default by match_preparse
> 
> which went in before 3.18-rc1.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: stable@vger.kernel.org
> 
> CVE-2017-6951
> 
> (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  Notes:
>  - From how I read the comments all kernels after 3.18-rc1 were not
>    affected. But even then this patch would not hurt. And it was
>    indeed picked up by 4.4.y in Xenial.
>  - Any kernels before 4.18-rc1 would be fixed by this patch alone
>    which is much less complicated to pull backwards (still a
>    cherry-pick for Trusty).
>  - So beside of adding this patch for Trusty we have to update the
>    cve triaging in a way that either of the two SHA1s is ok.
> 
> -Stefan
> 
>  security/keys/gc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/keys/gc.c b/security/keys/gc.c
> index 4a78033..da715eb 100644
> --- a/security/keys/gc.c
> +++ b/security/keys/gc.c
> @@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
>   * immediately unlinked.
>   */
>  struct key_type key_type_dead = {
> -	.name = "dead",
> +	.name = ".dead",
>  };
>  
>  /*
> 

that's a novel fix. Clean cherry pick. Looks OK to me.

Acked-by: Colin Ian King <colin.king@canonical.com>
Kleber Sacilotto de Souza Aug. 25, 2017, 8:25 a.m. UTC | #2
On 08/24/17 16:52, Stefan Bader wrote:
> From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001
> From: David Howells <dhowells@redhat.com>
> Date: Tue, 18 Apr 2017 15:31:08 +0100
> Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent
>  user access
> 
> This fixes CVE-2017-6951.
> 
> Userspace should not be able to do things with the "dead" key type as it
> doesn't have some of the helper functions set upon it that the kernel
> needs.  Attempting to use it may cause the kernel to crash.
> 
> Fix this by changing the name of the type to ".dead" so that it's rejected
> up front on userspace syscalls by key_get_type_from_user().
> 
> Though this doesn't seem to affect recent kernels, it does affect older
> ones, certainly those prior to:
> 
> 	commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
> 	Author: David Howells <dhowells@redhat.com>
> 	Date:   Tue Sep 16 17:36:06 2014 +0100
> 	KEYS: Remove key_type::match in favour of overriding default by match_preparse
> 
> which went in before 3.18-rc1.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: stable@vger.kernel.org
> 
> CVE-2017-6951
> 
> (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  Notes:
>  - From how I read the comments all kernels after 3.18-rc1 were not
>    affected. But even then this patch would not hurt. And it was
>    indeed picked up by 4.4.y in Xenial.
>  - Any kernels before 4.18-rc1 would be fixed by this patch alone
>    which is much less complicated to pull backwards (still a
>    cherry-pick for Trusty).
>  - So beside of adding this patch for Trusty we have to update the
>    cve triaging in a way that either of the two SHA1s is ok.
> 
> -Stefan
> 
>  security/keys/gc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/keys/gc.c b/security/keys/gc.c
> index 4a78033..da715eb 100644
> --- a/security/keys/gc.c
> +++ b/security/keys/gc.c
> @@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
>   * immediately unlinked.
>   */
>  struct key_type key_type_dead = {
> -	.name = "dead",
> +	.name = ".dead",
>  };
>  
>  /*
> 

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Kleber Sacilotto de Souza Aug. 25, 2017, 8:29 a.m. UTC | #3
Applied to trusty/master-next branch. Thanks.
diff mbox

Patch

diff --git a/security/keys/gc.c b/security/keys/gc.c
index 4a78033..da715eb 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -46,7 +46,7 @@  static unsigned long key_gc_flags;
  * immediately unlinked.
  */
 struct key_type key_type_dead = {
-	.name = "dead",
+	.name = ".dead",
 };
 
 /*