From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
linux-ima-devel@lists.sourceforge.net,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 46/86] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
Date: Thu, 4 May 2017 11:04:11 +0200 [thread overview]
Message-ID: <976655b79f7d41ae08ca55a323bee1db2a82f993.1493888632.git.jslaby@suse.cz> (raw)
In-Reply-To: <13a6a971c9165237531c2870da03084a6becc905.1493888632.git.jslaby@suse.cz>
In-Reply-To: <cover.1493888632.git.jslaby@suse.cz>
From: David Howells <dhowells@redhat.com>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream.
This fixes CVE-2016-9604.
Keyrings whose name begin with a '.' are special internal keyrings and so
userspace isn't allowed to create keyrings by this name to prevent
shadowing. However, the patch that added the guard didn't fix
KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
it can also subscribe to them as a session keyring if they grant SEARCH
permission to the user.
This, for example, allows a root process to set .builtin_trusted_keys as
its session keyring, at which point it has full access because now the
possessor permissions are added. This permits root to add extra public
keys, thereby bypassing module verification.
This also affects kexec and IMA.
This can be tested by (as root):
keyctl session .builtin_trusted_keys
keyctl add user a a @s
keyctl list @s
which on my test box gives me:
2 keys in keyring:
180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
801382539: --alswrv 0 0 user: a
Fix this by rejecting names beginning with a '.' in the keyctl.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/keys/keyctl.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 3242195bfa95..1324b2e10286 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -271,7 +271,8 @@ error:
* Create and join an anonymous session keyring or join a named session
* keyring, creating it if necessary. A named session keyring must have Search
* permission for it to be joined. Session keyrings without this permit will
- * be skipped over.
+ * be skipped over. It is not permitted for userspace to create or join
+ * keyrings whose name begin with a dot.
*
* If successful, the ID of the joined session keyring will be returned.
*/
@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name)
ret = PTR_ERR(name);
goto error;
}
+
+ ret = -EPERM;
+ if (name[0] == '.')
+ goto error_name;
}
/* join the session */
ret = join_session_keyring(name);
+error_name:
kfree(name);
-
error:
return ret;
}
--
2.12.2
next prev parent reply other threads:[~2017-05-04 9:16 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-04 9:04 [PATCH 3.12 00/86] 3.12.74-stable review Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 01/86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 02/86] drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl() Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 03/86] drm/vmwgfx: Remove getparam error message Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 04/86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 05/86] Reset TreeId to zero on SMB2 TREE_CONNECT Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 06/86] ptrace: fix PTRACE_LISTEN race corrupting task->state Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 07/86] ring-buffer: Fix return value check in test_ringbuffer() Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 08/86] metag/usercopy: Drop unused macros Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 09/86] metag/usercopy: Fix alignment error checking Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 10/86] metag/usercopy: Add early abort to copy_to_user Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 11/86] metag/usercopy: Zero rest of buffer from copy_from_user Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 12/86] metag/usercopy: Set flags before ADDZ Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 13/86] metag/usercopy: Fix src fixup in from user rapf loops Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 14/86] metag/usercopy: Add missing fixups Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 15/86] powerpc: Don't try to fix up misaligned load-with-reservation instructions Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 16/86] s390/decompressor: fix initrd corruption caused by bss clear Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 17/86] mm/mempolicy.c: fix error handling in set_mempolicy and mbind Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 18/86] usb: dwc3: gadget: delay unmap of bounced requests Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 19/86] mtd: bcm47xxpart: fix parsing first block after aligned TRX Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 20/86] net/packet: fix overflow in check for priv area size Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 21/86] usb: hub: Wait for connection to be reestablished after port reset Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 22/86] net/mlx4_en: Fix bad WQE issue Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 23/86] net/mlx4_core: Fix racy CQ (Completion Queue) free Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 24/86] Input: xpad - add support for Razer Wildcat gamepad Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 25/86] perf/x86: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32() Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 26/86] x86/vdso: Plug race between mapping and ELF header setup Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 27/86] iscsi-target: Fix TMR reference leak during session shutdown Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 28/86] iscsi-target: Drop work-around for legacy GlobalSAN initiator Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 29/86] scsi: sr: Sanity check returned mode data Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 30/86] scsi: sd: Fix capacity calculation with 32-bit sector_t Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 31/86] xen, fbfront: fix connecting to backend Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 32/86] char: Drop bogus dependency of DEVPORT on !M68K Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 33/86] char: lack of bool string made CONFIG_DEVPORT always on Jiri Slaby
2017-05-04 9:03 ` [PATCH 3.12 34/86] zram: do not use copy_page with non-page aligned address Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 35/86] powerpc: Disable HFSCR[TM] if TM is not supported Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 36/86] dvb-usb-v2: avoid use-after-free Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 37/86] ext4: fix inode checksum calculation problem if i_extra_size is small Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 38/86] platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 39/86] mm: Tighten x86 /dev/mem with zeroing reads Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 40/86] virtio-console: avoid DMA from stack Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 41/86] pegasus: Use heap buffers for all register access Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 42/86] rtl8150: " Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 43/86] catc: Combine failure cleanup code in catc_probe() Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 44/86] catc: Use heap buffer for memory size test Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 45/86] net: ipv6: check route protocol when deleting routes Jiri Slaby
2017-05-04 9:04 ` Jiri Slaby [this message]
2017-05-04 9:04 ` [PATCH 3.12 47/86] KEYS: Change the name of the dead type to ".dead" to prevent user access Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 48/86] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 49/86] tracing: Allocate the snapshot buffer before enabling probe Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 50/86] ring-buffer: Have ring_buffer_iter_empty() return true when empty Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 51/86] cifs: Do not send echoes before Negotiate is complete Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 52/86] CIFS: remove bad_network_name flag Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 53/86] Drivers: hv: don't leak memory in vmbus_establish_gpadl() Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 54/86] Drivers: hv: get rid of timeout in vmbus_open() Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 55/86] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 56/86] ACPI / power: Avoid maybe-uninitialized warning Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 57/86] ubi/upd: Always flush after prepared for an update Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 58/86] x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 59/86] kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 60/86] block: fix del_gendisk() vs blkdev_ioctl crash Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 61/86] powerpc: Reject binutils 2.24 when building little endian Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 62/86] ping: implement proper locking Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 63/86] net/packet: fix overflow in check for tp_frame_nr Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 64/86] net/packet: fix overflow in check for tp_reserve Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 65/86] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 66/86] tty: nozomi: avoid a harmless gcc warning Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 67/86] hostap: avoid uninitialized variable use in hfa384x_get_rid Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 68/86] gfs2: avoid uninitialized variable warning Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 69/86] net: neigh: guard against NULL solicit() method Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 70/86] net: phy: handle state correctly in phy_stop_machine Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 71/86] l2tp: take reference on sessions being dumped Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 72/86] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 73/86] sctp: listen on the sock only when it's state is listening or closed Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 74/86] ip6mr: fix notification device destruction Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 75/86] ipv6: check raw payload size correctly in ioctl Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 76/86] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 77/86] md:raid1: fix a dead loop when read from a WriteMostly disk Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 78/86] MIPS: Fix crash registers on non-crashing CPUs Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 79/86] RDS: Fix the atomicity for congestion map update Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 80/86] xen/x86: don't lose event interrupts Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 81/86] ALSA: seq: Don't break snd_use_lock_sync() loop by timeout Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 82/86] MIPS: KGDB: Use kernel context for sleeping threads Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 83/86] p9_client_readdir() fix Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 84/86] Input: i8042 - add Clevo P650RS to the i8042 reset list Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 85/86] nfsd: check for oversized NFSv2/v3 arguments Jiri Slaby
2017-05-04 9:04 ` [PATCH 3.12 86/86] ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram Jiri Slaby
2017-05-04 9:18 ` [PATCH 3.12 00/86] 3.12.74-stable review Jiri Slaby
2017-05-04 15:55 ` Guenter Roeck
2017-05-09 18:57 ` Jiri Slaby
2017-05-04 18:57 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=976655b79f7d41ae08ca55a323bee1db2a82f993.1493888632.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=dhowells@redhat.com \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).