From patchwork Thu Aug 24 14:52:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Bader X-Patchwork-Id: 805519 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3xdS2X2Fmhz9sNd; Fri, 25 Aug 2017 00:52:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1dktV2-0008TH-0n; Thu, 24 Aug 2017 14:52:48 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1dktUw-0008Ss-D5 for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2017 14:52:42 +0000 Received: from 1.general.smb.uk.vpn ([10.172.193.28] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dktUw-0002h0-31 for kernel-team@lists.ubuntu.com; Thu, 24 Aug 2017 14:52:42 +0000 From: Stefan Bader To: kernel-team@lists.ubuntu.com Subject: [Trusty SRU] Fix CVE-2017-6951 Date: Thu, 24 Aug 2017 16:52:41 +0200 Message-Id: <1503586361-23315-1-git-send-email-stefan.bader@canonical.com> X-Mailer: git-send-email 2.7.4 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 18 Apr 2017 15:31:08 +0100 Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent user access This fixes CVE-2017-6951. Userspace should not be able to do things with the "dead" key type as it doesn't have some of the helper functions set upon it that the kernel needs. Attempting to use it may cause the kernel to crash. Fix this by changing the name of the type to ".dead" so that it's rejected up front on userspace syscalls by key_get_type_from_user(). Though this doesn't seem to affect recent kernels, it does affect older ones, certainly those prior to: commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 Author: David Howells Date: Tue Sep 16 17:36:06 2014 +0100 KEYS: Remove key_type::match in favour of overriding default by match_preparse which went in before 3.18-rc1. Signed-off-by: David Howells cc: stable@vger.kernel.org CVE-2017-6951 (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af) Signed-off-by: Stefan Bader Acked-by: Colin Ian King Acked-by: Kleber Sacilotto de Souza --- Notes: - From how I read the comments all kernels after 3.18-rc1 were not affected. But even then this patch would not hurt. And it was indeed picked up by 4.4.y in Xenial. - Any kernels before 4.18-rc1 would be fixed by this patch alone which is much less complicated to pull backwards (still a cherry-pick for Trusty). - So beside of adding this patch for Trusty we have to update the cve triaging in a way that either of the two SHA1s is ok. -Stefan security/keys/gc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/keys/gc.c b/security/keys/gc.c index 4a78033..da715eb 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -46,7 +46,7 @@ static unsigned long key_gc_flags; * immediately unlinked. */ struct key_type key_type_dead = { - .name = "dead", + .name = ".dead", }; /*