Skip to content
Snippets Groups Projects
user avatar
Luis Henriques authored
This is a note to let you know that I have just added a patch titled

    KEYS: Fix keyring ref leak in join_session_keyring()

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt23.

If you, or anyone else, feels it should not be added to this tree, please
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable



Thanks.
-Luis

---8<------------------------------------------------------------

>From f3e9ef6b8ef8849f32fb7929c0f1582f1c8354b1 Mon Sep 17 00:00:00 2001
From: Yevgeny Pats <yevgeny@perception-point.io>
Date: Tue, 19 Jan 2016 22:09:04 +0000
Subject: KEYS: Fix keyring ref leak in join_session_keyring()

commit 23567fd0 upstream.

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

	#include <stddef.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <keyutils.h>

	int main(int argc, const char *argv[])
	{
		int i = 0;
		key_serial_t serial;

		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
				"leaked-keyring");
		if (serial < 0) {
			perror("keyctl");
			return -1;
		}

		if (keyctl(KEYCTL_SETPERM, serial,
			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
			perror("keyctl");
			return -1;
		}

		for (i = 0; i < 100; i++) {
			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
					"leaked-keyring");
			if (serial < 0) {
				perror("keyctl");
				return -1;
			}
		}

		return 0;
	}

If, after the program has run, there something like the following line in
/proc/keys:

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarDon Zickus <dzickus@redhat.com>
Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
Acked-by: default avatarJarod Wilson <jarod@redhat.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
Change-Id: I9e4826bb62e7e36dbf709078eab0b404b8ae51b7
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/229398


Reviewed-by: default avatarLiJen_Chang <LiJen_Chang@asus.com>
Tested-by: default avatarLiJen_Chang <LiJen_Chang@asus.com>
c1fa80cc
Name Last commit Last update