diff --git a/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch b/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch new file mode 100644 index 000000000..dc43b8ae2 --- /dev/null +++ b/KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch @@ -0,0 +1,45 @@ +From 3881b164810a564714dfdc16520b0fe538ae4bf7 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 27 Jul 2015 15:23:43 +0100 +Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid + +__key_link_end is not freeing the associated array edit structure +and this leads to a 512 byte memory leak each time an identical +existing key is added with add_key(). + +The reason the add_key() system call returns okay is that +key_create_or_update() calls __key_link_begin() before checking to see +whether it can update a key directly rather than adding/replacing - which +it turns out it can. Thus __key_link() is not called through +__key_instantiate_and_link() and __key_link_end() must cancel the edit. + +CVE-2015-1333 + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +--- + security/keys/keyring.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index e72548b5897e..d33437007ad2 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring, + if (index_key->type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + +- if (edit && !edit->dead_leaf) { +- key_payload_reserve(keyring, +- keyring->datalen - KEYQUOTA_LINK_BYTES); ++ if (edit) { ++ if (!edit->dead_leaf) { ++ key_payload_reserve(keyring, ++ keyring->datalen - KEYQUOTA_LINK_BYTES); ++ } + assoc_array_cancel_edit(edit); + } + up_write(&keyring->sem); +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index f20d8e569..99efa49db 100644 --- a/kernel.spec +++ b/kernel.spec @@ -584,7 +584,9 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch Patch503: drm-i915-turn-off-wc-mmaps.patch -Patch504: kdbus.patch +Patch504: KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch + +Patch904: kdbus.patch # END OF PATCH DEFINITIONS @@ -2023,6 +2025,7 @@ fi %changelog * Mon Jul 27 2015 Josh Boyer - 4.2.0-0.rc4.git0.1 - Linux v4.2-rc4 +- CVE-2015-1333 add_key memory leak (rhbz 1244171) - Disable debugging options. * Fri Jul 24 2015 Josh Boyer - 4.2.0-0.rc3.git4.1