diff options
author | David Howells <dhowells@redhat.com> | 2006-04-10 17:01:40 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-04-10 21:48:21 -0700 |
commit | 5494bd6a500cc7c5a502279eabfbdacccd4b89d1 (patch) | |
tree | a1013355c5ff3d8b02245e3a91c52ac5e3b52c40 | |
parent | dbb676d1214c181e6cde4ce67b7bf012d071f1ed (diff) | |
download | lwn-5494bd6a500cc7c5a502279eabfbdacccd4b89d1.tar.gz lwn-5494bd6a500cc7c5a502279eabfbdacccd4b89d1.zip |
[PATCH] Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]
This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].
The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.
I've fixed this problem by:
(1) declaring that caller of __keyring_search_one() must guarantee that
the keyring is a keyring; and
(2) making key_create_or_update() check that the keyring is a keyring,
and return -ENOTDIR if it isn't.
This can be tested by:
keyctl add user b b `keyctl add user a a @s`
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | security/keys/key.c | 4 | ||||
-rw-r--r-- | security/keys/keyring.c | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index 99781b798312..0e2584e11308 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, key_check(keyring); + key_ref = ERR_PTR(-ENOTDIR); + if (keyring->type != &key_type_keyring) + goto error_2; + down_write(&keyring->sem); /* if we're going to allocate a new key, we're going to have diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d65a180f888d..bffa924c1f88 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); /* * search the given keyring only (no recursion) * - keyring must be locked by caller + * - caller must guarantee that the keyring is a keyring */ key_ref_t __keyring_search_one(key_ref_t keyring_ref, const struct key_type *ktype, |