From: David Howells Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100) Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring X-Git-Tag: v2.6.35.6~18 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=0f403655ecddfdb7630adbb6ba59c30cb0c541a4;p=karo-tx-linux.git KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376 upstream. Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership of the parent process's session keyring whether or not the parent has a session keyring [CVE-2010-2960]. This results in the following oops: BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 IP: [] keyctl_session_to_parent+0x251/0x443 ... Call Trace: [] ? keyctl_session_to_parent+0x67/0x443 [] ? __do_fault+0x24b/0x3d0 [] sys_keyctl+0xb4/0xb8 [] system_call_fastpath+0x16/0x1b if the parent process has no session keyring. If the system is using pam_keyinit then it mostly protected against this as all processes derived from a login will have inherited the session keyring created by pam_keyinit during the log in procedure. To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. Reported-by: Tavis Ormandy Signed-off-by: David Howells Acked-by: Tavis Ormandy Cc: dann frazier Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 747d8f2b5dce..e0d1e2b90a21 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void) goto not_permitted; /* the keyrings must have the same UID */ - if (pcred->tgcred->session_keyring->uid != mycred->euid || + if ((pcred->tgcred->session_keyring && + pcred->tgcred->session_keyring->uid != mycred->euid) || mycred->tgcred->session_keyring->uid != mycred->euid) goto not_permitted;