From: Greg Kroah-Hartman Date: Tue, 11 Apr 2006 05:30:10 +0000 (-0700) Subject: 2.6.16.3 release X-Git-Tag: v2.6.16.3^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e17ad7a8d08a3eea79f0a6de281960bf407e1e4;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.16.3 release --- diff --git a/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch b/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch new file mode 100644 index 00000000000..a890dc47285 --- /dev/null +++ b/2.6.16.3/keys-fix-oops-when-adding-key-to-non-keyring.patch @@ -0,0 +1,61 @@ +From git-commits-head-owner@vger.kernel.org Mon Apr 10 10:01:58 2006 +Date: Mon, 10 Apr 2006 17:01:40 GMT +Message-Id: <200604101701.k3AH1ejA004998@hera.kernel.org> +From: David Howells +To: git-commits-head@vger.kernel.org +Subject: Keys: Fix oops when adding key to non-keyring [CVE-2006-1522] + +From: David Howells + +This fixes the problem of an oops occuring when a user attempts to add a +key to a non-keyring key [CVE-2006-1522]. + +The problem is that __keyring_search_one() doesn't check that the +keyring it's been given is actually a keyring. + +I've fixed this problem by: + + (1) declaring that caller of __keyring_search_one() must guarantee that + the keyring is a keyring; and + + (2) making key_create_or_update() check that the keyring is a keyring, + and return -ENOTDIR if it isn't. + +This can be tested by: + + keyctl add user b b `keyctl add user a a @s` + +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t + + key_check(keyring); + ++ key_ref = ERR_PTR(-ENOTDIR); ++ if (keyring->type != &key_type_keyring) ++ goto error_2; ++ + down_write(&keyring->sem); + + /* if we're going to allocate a new key, we're going to have +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index d65a180..bffa924 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); + /* + * search the given keyring only (no recursion) + * - keyring must be locked by caller ++ * - caller must guarantee that the keyring is a keyring + */ + key_ref_t __keyring_search_one(key_ref_t keyring_ref, + const struct key_type *ktype, +- +To unsubscribe from this list: send the line "unsubscribe git-commits-head" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +