• Yevgeny Pats's avatar
    KEYS: Fix keyring ref leak in join_session_keyring() · 6849cd97
    Yevgeny Pats authored
    commit 23567fd0 upstream.
    
    This fixes CVE-2016-0728.
    
    If a thread is asked to join as a session keyring the keyring that's already
    set as its session, we leak a keyring reference.
    
    This can be tested with the following program:
    
    	#include <stddef.h>
    	#include <stdio.h>
    	#include <sys/types.h>
    	#include <keyutils.h>
    
    	int main(int argc, const char *argv[])
    	{
    		int i = 0;
    		key_serial_t serial;
    
    		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    				"leaked-keyring");
    		if (serial < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		if (keyctl(KEYCTL_SETPERM, serial,
    			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
    			perror("keyctl");
    			return -1;
    		}
    
    		for (i = 0; i < 100; i++) {
    			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
    					"leaked-keyring");
    			if (serial < 0) {
    				perror("keyctl");
    				return -1;
    			}
    		}
    
    		return 0;
    	}
    
    If, after the program has run, there something like the following line in
    /proc/keys:
    
    3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
    
    with a usage count of 100 * the number of times the program has been run,
    then the kernel is malfunctioning.  If leaked-keyring has zero usages or
    has been garbage collected, then the problem is fixed.
    Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarDon Zickus <dzickus@redhat.com>
    Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
    Acked-by: default avatarJarod Wilson <jarod@redhat.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    6849cd97
process_keys.c 20.2 KB