From e5da0c6fbe422dbea9d498729424f6a1befa498a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 19 Jan 2016 12:45:47 -0600 Subject: [PATCH] Linux v4.4-8855-ga200dcb --- ...ing-ref-leak-in-join_session_keyring.patch | 78 +++++++++++++++++++ config-armv7-lpae | 1 + config-generic | 3 +- gitrev | 2 +- kernel.spec | 9 ++- sources | 2 +- 6 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000..5eec95c62 --- /dev/null +++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,78 @@ +From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 18 Jan 2016 10:53:31 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include + #include + #include + #include + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats +Signed-off-by: David Howells +RH-bugzilla: 1298036 +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cddbf2b3..7877e5cd4e23 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.5.0 + diff --git a/config-armv7-lpae b/config-armv7-lpae index 483c49960..828b13a87 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -81,3 +81,4 @@ CONFIG_GPIO_SYSCON=m # CONFIG_SND_SOC_TEGRA20_DAS is not set # CONFIG_SND_SOC_TEGRA20_SPDIF is not set # CONFIG_SND_SOC_TEGRA_RT5677 is not set +# CONFIG_DRM_OMAP is not set diff --git a/config-generic b/config-generic index f9b630382..b9109aafc 100644 --- a/config-generic +++ b/config-generic @@ -3222,6 +3222,7 @@ CONFIG_RTC_DRV_V3020=m CONFIG_RTC_DRV_DS2404=m CONFIG_RTC_DRV_STK17TA8=m # CONFIG_RTC_DRV_S35390A is not set +CONFIG_RTC_DRV_RX8010=m CONFIG_RTC_DRV_RX8581=m CONFIG_RTC_DRV_RX8025=m CONFIG_RTC_DRV_DS1286=m @@ -5256,7 +5257,7 @@ CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_STI_SAS is not set # CONFIG_SND_SOC_INNO_RK3036 is not set # CONFIG_SND_SOC_IMG is not set -# CONFIG_SND_SOC_AMD_ACP is not set +CONFIG_SND_SOC_AMD_ACP=m CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y diff --git a/gitrev b/gitrev index e23d72ea9..d5f87db06 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -5807fcaa9bf7dd87241df739161c119cf78a6bc4 +a200dcb34693084e56496960d855afdeaaf9578f diff --git a/kernel.spec b/kernel.spec index 0aa0c6010..d6d1a2cd7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 5 +%define gitrev 6 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -599,6 +599,9 @@ Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch # https://patchwork.kernel.org/patch/8055301/ Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch +#CVE-2016-0728 rhbz 1296623 +Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch + # END OF PATCH DEFINITIONS %endif @@ -2044,6 +2047,10 @@ fi # # %changelog +* Tue Jan 19 2016 Justin M. Forbes - 4.5.0-0.rc0.git6.1 +- Linux v4.4-8855-ga200dcb +- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623) + * Tue Jan 19 2016 Peter Robinson - Fix boot on TI am33xx/omap devices diff --git a/sources b/sources index ae92f519d..0055051a8 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -37c094912e7812f0a856e67aa313c9e8 patch-4.4-git5.xz +64ceedc19f6080bedbafdc1321d9ac95 patch-4.4-git6.xz