Message ID | 1323189125-20157-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 12/06/2011 09:32 AM, Andy Whitcroft wrote: > From: David Howells<dhowells@redhat.com> > > Fix a NULL pointer deref in the user-defined key type whereby updating a > negative key into a fully instantiated key will cause an oops to occur > when the code attempts to free the non-existent old payload. > > This results in an oops that looks something like the following: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 > IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e > PGD 3391d067 PUD 3894a067 PMD 0 > Oops: 0002 [#1] SMP > CPU 1 > Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY > RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e > RSP: 0018:ffff88003d591df8 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e > RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c > R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538 > R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908 > FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040) > Stack: > ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50 > ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea > ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0 > Call Trace: > [<ffffffff810860f0>] call_rcu_sched+0x10/0x12 > [<ffffffff8117bfea>] user_update+0x8d/0xa2 > [<ffffffff8117723a>] key_create_or_update+0x236/0x270 > [<ffffffff811789b1>] sys_add_key+0x123/0x17e > [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b > > Signed-off-by: David Howells<dhowells@redhat.com> > Acked-by: Jeff Layton<jlayton@redhat.com> > Acked-by: Neil Horman<nhorman@redhat.com> > Acked-by: Steve Dickson<steved@redhat.com> > Acked-by: James Morris<jmorris@namei.org> > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > > (backported from commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b) > CVE-2011-4110 > BugLink: http://bugs.launchpad.net/bugs/894369 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > security/keys/user_defined.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c > index 7c687d5..97edf29 100644 > --- a/security/keys/user_defined.c > +++ b/security/keys/user_defined.c > @@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen) > key->expiry = 0; > } > > - call_rcu(&zap->rcu, user_update_rcu_disposal); > + if (zap) > + call_rcu(&zap->rcu, user_update_rcu_disposal); > > error: > return ret;
On Tue, Dec 06, 2011 at 04:32:05PM +0000, Andy Whitcroft wrote: > From: David Howells <dhowells@redhat.com> > > Fix a NULL pointer deref in the user-defined key type whereby updating a > negative key into a fully instantiated key will cause an oops to occur > when the code attempts to free the non-existent old payload. > > This results in an oops that looks something like the following: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 > IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e > PGD 3391d067 PUD 3894a067 PMD 0 > Oops: 0002 [#1] SMP > CPU 1 > Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY > RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e > RSP: 0018:ffff88003d591df8 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e > RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c > R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538 > R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908 > FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040) > Stack: > ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50 > ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea > ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0 > Call Trace: > [<ffffffff810860f0>] call_rcu_sched+0x10/0x12 > [<ffffffff8117bfea>] user_update+0x8d/0xa2 > [<ffffffff8117723a>] key_create_or_update+0x236/0x270 > [<ffffffff811789b1>] sys_add_key+0x123/0x17e > [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b > > Signed-off-by: David Howells <dhowells@redhat.com> > Acked-by: Jeff Layton <jlayton@redhat.com> > Acked-by: Neil Horman <nhorman@redhat.com> > Acked-by: Steve Dickson <steved@redhat.com> > Acked-by: James Morris <jmorris@namei.org> > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b) > CVE-2011-4110 > BugLink: http://bugs.launchpad.net/bugs/894369 > Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> > --- > security/keys/user_defined.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c > index 7c687d5..97edf29 100644 > --- a/security/keys/user_defined.c > +++ b/security/keys/user_defined.c > @@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen) > key->expiry = 0; > } > > - call_rcu(&zap->rcu, user_update_rcu_disposal); > + if (zap) > + call_rcu(&zap->rcu, user_update_rcu_disposal); > > error: > return ret; > -- > 1.7.5.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 7c687d5..97edf29 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen) key->expiry = 0; } - call_rcu(&zap->rcu, user_update_rcu_disposal); + if (zap) + call_rcu(&zap->rcu, user_update_rcu_disposal); error: return ret;