From dbd864699ab04981a840d474f5f1eb62da627a93 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 20 Jan 2016 08:59:34 -0800 Subject: [PATCH] 4.4-stable patches added patches: keys-fix-keyring-ref-leak-in-join_session_keyring.patch keys-prevent-keys-from-being-removed-from-specified-keyrings.patch keys-refcount-bug-fix.patch --- ...ing-ref-leak-in-join_session_keyring.patch | 82 +++++++ ...eing-removed-from-specified-keyrings.patch | 205 ++++++++++++++++++ queue-4.4/keys-refcount-bug-fix.patch | 84 +++++++ 3 files changed, 371 insertions(+) create mode 100644 queue-4.4/keys-fix-keyring-ref-leak-in-join_session_keyring.patch create mode 100644 queue-4.4/keys-prevent-keys-from-being-removed-from-specified-keyrings.patch create mode 100644 queue-4.4/keys-refcount-bug-fix.patch diff --git a/queue-4.4/keys-fix-keyring-ref-leak-in-join_session_keyring.patch b/queue-4.4/keys-fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 00000000000..6285e4cfa18 --- /dev/null +++ b/queue-4.4/keys-fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,82 @@ +From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001 +From: Yevgeny Pats +Date: Tue, 19 Jan 2016 22:09:04 +0000 +Subject: KEYS: Fix keyring ref leak in join_session_keyring() + +From: Yevgeny Pats + +commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 upstream. + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include + #include + #include + #include + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats +Signed-off-by: David Howells +Acked-by: Don Zickus +Acked-by: Prarit Bhargava +Acked-by: Jarod Wilson +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *na + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } diff --git a/queue-4.4/keys-prevent-keys-from-being-removed-from-specified-keyrings.patch b/queue-4.4/keys-prevent-keys-from-being-removed-from-specified-keyrings.patch new file mode 100644 index 00000000000..ee976c67ecf --- /dev/null +++ b/queue-4.4/keys-prevent-keys-from-being-removed-from-specified-keyrings.patch @@ -0,0 +1,205 @@ +From d3600bcf9d64d88dc1d189a754dcfab960ce751f Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 10 Nov 2015 08:34:46 -0500 +Subject: KEYS: prevent keys from being removed from specified keyrings + +From: Mimi Zohar + +commit d3600bcf9d64d88dc1d189a754dcfab960ce751f upstream. + +Userspace should not be allowed to remove keys from certain keyrings +(eg. blacklist), though the keys themselves can expire. + +This patch defines a new key flag named KEY_FLAG_KEEP to prevent +userspace from being able to unlink, revoke, invalidate or timed +out a key on a keyring. When this flag is set on the keyring, all +keys subsequently added are flagged. + +In addition, when this flag is set, the keyring itself can not be +cleared. + +Signed-off-by: Mimi Zohar +Cc: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/key.h | 1 + security/keys/key.c | 6 ++++- + security/keys/keyctl.c | 56 ++++++++++++++++++++++++++++++++++++++++--------- + 3 files changed, 52 insertions(+), 11 deletions(-) + +--- a/include/linux/key.h ++++ b/include/linux/key.h +@@ -177,6 +177,7 @@ struct key { + #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ + #define KEY_FLAG_BUILTIN 10 /* set if key is builtin */ + #define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */ ++#define KEY_FLAG_KEEP 12 /* set if key should not be removed */ + + /* the key type and key description string + * - the desc is used to match a key against search criteria +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -429,8 +429,12 @@ static int __key_instantiate_and_link(st + awaken = 1; + + /* and link it into the destination keyring */ +- if (keyring) ++ if (keyring) { ++ if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) ++ set_bit(KEY_FLAG_KEEP, &key->flags); ++ + __key_link(key, _edit); ++ } + + /* disable the authorisation key */ + if (authkey) +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -358,11 +358,14 @@ error: + * and any links to the key will be automatically garbage collected after a + * certain amount of time (/proc/sys/kernel/keys/gc_delay). + * ++ * Keys with KEY_FLAG_KEEP set should not be revoked. ++ * + * If successful, 0 is returned. + */ + long keyctl_revoke_key(key_serial_t id) + { + key_ref_t key_ref; ++ struct key *key; + long ret; + + key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); +@@ -377,8 +380,13 @@ long keyctl_revoke_key(key_serial_t id) + } + } + +- key_revoke(key_ref_to_ptr(key_ref)); +- ret = 0; ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_KEEP, &key->flags)) ++ return -EPERM; ++ else { ++ key_revoke(key); ++ ret = 0; ++ } + + key_ref_put(key_ref); + error: +@@ -392,11 +400,14 @@ error: + * The key and any links to the key will be automatically garbage collected + * immediately. + * ++ * Keys with KEY_FLAG_KEEP set should not be invalidated. ++ * + * If successful, 0 is returned. + */ + long keyctl_invalidate_key(key_serial_t id) + { + key_ref_t key_ref; ++ struct key *key; + long ret; + + kenter("%d", id); +@@ -420,8 +431,13 @@ long keyctl_invalidate_key(key_serial_t + } + + invalidate: +- key_invalidate(key_ref_to_ptr(key_ref)); +- ret = 0; ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_KEEP, &key->flags)) ++ ret = -EPERM; ++ else { ++ key_invalidate(key); ++ ret = 0; ++ } + error_put: + key_ref_put(key_ref); + error: +@@ -433,12 +449,13 @@ error: + * Clear the specified keyring, creating an empty process keyring if one of the + * special keyring IDs is used. + * +- * The keyring must grant the caller Write permission for this to work. If +- * successful, 0 will be returned. ++ * The keyring must grant the caller Write permission and not have ++ * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. + */ + long keyctl_keyring_clear(key_serial_t ringid) + { + key_ref_t keyring_ref; ++ struct key *keyring; + long ret; + + keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); +@@ -460,7 +477,11 @@ long keyctl_keyring_clear(key_serial_t r + } + + clear: +- ret = keyring_clear(key_ref_to_ptr(keyring_ref)); ++ keyring = key_ref_to_ptr(keyring_ref); ++ if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) ++ ret = -EPERM; ++ else ++ ret = keyring_clear(keyring); + error_put: + key_ref_put(keyring_ref); + error: +@@ -511,11 +532,14 @@ error: + * itself need not grant the caller anything. If the last link to a key is + * removed then that key will be scheduled for destruction. + * ++ * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. ++ * + * If successful, 0 will be returned. + */ + long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) + { + key_ref_t keyring_ref, key_ref; ++ struct key *keyring, *key; + long ret; + + keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); +@@ -530,7 +554,13 @@ long keyctl_keyring_unlink(key_serial_t + goto error2; + } + +- ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); ++ keyring = key_ref_to_ptr(keyring_ref); ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && ++ test_bit(KEY_FLAG_KEEP, &key->flags)) ++ ret = -EPERM; ++ else ++ ret = key_unlink(keyring, key); + + key_ref_put(key_ref); + error2: +@@ -1289,6 +1319,8 @@ error: + * the current time. The key and any links to the key will be automatically + * garbage collected after the timeout expires. + * ++ * Keys with KEY_FLAG_KEEP set should not be timed out. ++ * + * If successful, 0 is returned. + */ + long keyctl_set_timeout(key_serial_t id, unsigned timeout) +@@ -1320,10 +1352,14 @@ long keyctl_set_timeout(key_serial_t id, + + okay: + key = key_ref_to_ptr(key_ref); +- key_set_timeout(key, timeout); ++ if (test_bit(KEY_FLAG_KEEP, &key->flags)) ++ ret = -EPERM; ++ else { ++ key_set_timeout(key, timeout); ++ ret = 0; ++ } + key_put(key); + +- ret = 0; + error: + return ret; + } diff --git a/queue-4.4/keys-refcount-bug-fix.patch b/queue-4.4/keys-refcount-bug-fix.patch new file mode 100644 index 00000000000..c43a567b23d --- /dev/null +++ b/queue-4.4/keys-refcount-bug-fix.patch @@ -0,0 +1,84 @@ +From 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 7 Jan 2016 07:46:36 -0500 +Subject: KEYS: refcount bug fix + +From: Mimi Zohar + +commit 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0 upstream. + +This patch fixes the key_ref leak, removes the unnecessary KEY_FLAG_KEEP +test before setting the flag, and cleans up the if/then brackets style +introduced in commit: +d3600bc KEYS: prevent keys from being removed from specified keyrings + +Reported-by: David Howells +Signed-off-by: Mimi Zohar +Acked-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/key.c | 3 +-- + security/keys/keyctl.c | 17 +++++++---------- + 2 files changed, 8 insertions(+), 12 deletions(-) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -430,8 +430,7 @@ static int __key_instantiate_and_link(st + + /* and link it into the destination keyring */ + if (keyring) { +- if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) +- set_bit(KEY_FLAG_KEEP, &key->flags); ++ set_bit(KEY_FLAG_KEEP, &key->flags); + + __key_link(key, _edit); + } +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -381,12 +381,11 @@ long keyctl_revoke_key(key_serial_t id) + } + + key = key_ref_to_ptr(key_ref); ++ ret = 0; + if (test_bit(KEY_FLAG_KEEP, &key->flags)) +- return -EPERM; +- else { ++ ret = -EPERM; ++ else + key_revoke(key); +- ret = 0; +- } + + key_ref_put(key_ref); + error: +@@ -432,12 +431,11 @@ long keyctl_invalidate_key(key_serial_t + + invalidate: + key = key_ref_to_ptr(key_ref); ++ ret = 0; + if (test_bit(KEY_FLAG_KEEP, &key->flags)) + ret = -EPERM; +- else { ++ else + key_invalidate(key); +- ret = 0; +- } + error_put: + key_ref_put(key_ref); + error: +@@ -1352,12 +1350,11 @@ long keyctl_set_timeout(key_serial_t id, + + okay: + key = key_ref_to_ptr(key_ref); ++ ret = 0; + if (test_bit(KEY_FLAG_KEEP, &key->flags)) + ret = -EPERM; +- else { ++ else + key_set_timeout(key, timeout); +- ret = 0; +- } + key_put(key); + + error: -- 2.47.3