2.6.16.3 release

diff --git a/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch b/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch
new file mode 100644 (file)
index 0000000..a890dc4
--- /dev/null
+++ b/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch
@@ -0,0 +1,61 @@
+From git-commits-head-owner@vger.kernel.org Mon Apr 10 10:01:58 2006
+Date: Mon, 10 Apr 2006 17:01:40 GMT
+Message-Id: <200604101701.k3AH1ejA004998@hera.kernel.org>
+From: David Howells <dhowells@redhat.com>
+To: git-commits-head@vger.kernel.org
+Subject: Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]
+
+From: David Howells <dhowells@redhat.com>
+
+This fixes the problem of an oops occuring when a user attempts to add a
+key to a non-keyring key [CVE-2006-1522].
+
+The problem is that __keyring_search_one() doesn't check that the
+keyring it's been given is actually a keyring.
+
+I've fixed this problem by:
+
+ (1) declaring that caller of __keyring_search_one() must guarantee that
+     the keyring is a keyring; and
+
+ (2) making key_create_or_update() check that the keyring is a keyring,
+     and return -ENOTDIR if it isn't.
+
+This can be tested by:
+
+       keyctl add user b b `keyctl add user a a @s`
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t
+ 
+       key_check(keyring);
+ 
++      key_ref = ERR_PTR(-ENOTDIR);
++      if (keyring->type != &key_type_keyring)
++              goto error_2;
++
+       down_write(&keyring->sem);
+ 
+       /* if we're going to allocate a new key, we're going to have
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index d65a180..bffa924 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
+ /*
+  * search the given keyring only (no recursion)
+  * - keyring must be locked by caller
++ * - caller must guarantee that the keyring is a keyring
+  */
+ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
+                              const struct key_type *ktype,
+-
+To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+