linux/security/keys
David Howells 979e0d7465 KEYS: Make the keyring cycle detector ignore other keyrings of the same name
This fixes CVE-2014-0102.

The following command sequence produces an oops:

	keyctl new_session
	i=`keyctl newring _ses @s`
	keyctl link @s $i

The problem is that search_nested_keyrings() sees two keyrings that have
matching type and description, so keyring_compare_object() returns true.
s_n_k() then passes the key to the iterator function -
keyring_detect_cycle_iterator() - which *should* check to see whether this is
the keyring of interest, not just one with the same name.

Because assoc_array_find() will return one and only one match, I assumed that
the iterator function would only see an exact match or never be called - but
the iterator isn't only called from assoc_array_find()...

The oops looks something like this:

	kernel BUG at /data/fs/linux-2.6-fscache/security/keys/keyring.c:1003!
	invalid opcode: 0000 [#1] SMP
	...
	RIP: keyring_detect_cycle_iterator+0xe/0x1f
	...
	Call Trace:
	  search_nested_keyrings+0x76/0x2aa
	  __key_link_check_live_key+0x50/0x5f
	  key_link+0x4e/0x85
	  keyctl_keyring_link+0x60/0x81
	  SyS_keyctl+0x65/0xe4
	  tracesys+0xdd/0xe2

The fix is to make keyring_detect_cycle_iterator() check that the key it
has is the key it was actually looking for rather than calling BUG_ON().

A testcase has been included in the keyutils testsuite for this:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=891f3365d07f1996778ade0e3428f01878a1790b

Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-03-09 18:57:18 -07:00
..
encrypted-keys KEYS: Add payload preparsing opportunity prior to key instantiate or update 2012-10-08 13:49:48 +10:30
big_key.c security: shmem: implement kernel private shmem inodes 2013-12-02 11:24:19 +00:00
compat.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
gc.c KEYS: Fix keyring content gc scanner 2013-11-14 14:09:53 +00:00
internal.h KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
Kconfig KEYS: Make BIG_KEYS boolean 2013-10-30 11:15:23 +00:00
key.c KEYS: Pre-clear struct key on allocation 2013-12-02 11:24:18 +00:00
keyctl.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
keyring.c KEYS: Make the keyring cycle detector ignore other keyrings of the same name 2014-03-09 18:57:18 -07:00
Makefile KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
permission.c userns: Convert security/keys to the new userns infrastructure 2012-09-13 18:28:02 -07:00
persistent.c KEYS: Fix UID check in keyctl_get_persistent() 2013-11-06 14:01:51 +00:00
proc.c KEYS: Introduce a search context structure 2013-09-24 10:35:15 +01:00
process_keys.c KEYS: initialize root uid and session keyrings early 2013-09-25 17:17:01 +01:00
request_key_auth.c KEYS: Search for auth-key by name rather than target key ID 2013-09-24 10:35:16 +01:00
request_key.c KEYS: Fix a race between negating a key and reading the error set 2013-10-30 11:15:24 +00:00
sysctl.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
trusted.c Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
trusted.h trusted-keys: rename trusted_defined files to trusted 2011-01-24 10:14:22 +11:00
user_defined.c KEYS: Introduce a search context structure 2013-09-24 10:35:15 +01:00