summaryrefslogtreecommitdiffstats
path: root/freed-ora/current/f14
diff options
context:
space:
mode:
Diffstat (limited to 'freed-ora/current/f14')
-rw-r--r--freed-ora/current/f14/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch71
-rw-r--r--freed-ora/current/f14/kernel.spec11
2 files changed, 81 insertions, 1 deletions
diff --git a/freed-ora/current/f14/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch b/freed-ora/current/f14/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
new file mode 100644
index 000000000..46755df78
--- /dev/null
+++ b/freed-ora/current/f14/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
@@ -0,0 +1,71 @@
+From f8789858be5c1b13543040b74d978ea448461155 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 15 Nov 2011 22:09:45 +0000
+Subject: [PATCH] KEYS: Fix a NULL pointer deref in the user-defined key type
+
+commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b upstream.
+
+Fix a NULL pointer deref in the user-defined key type whereby updating a
+negative key into a fully instantiated key will cause an oops to occur
+when the code attempts to free the non-existent old payload.
+
+This results in an oops that looks something like the following:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+ PGD 3391d067 PUD 3894a067 PMD 0
+ Oops: 0002 [#1] SMP
+ CPU 1
+ Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY
+ RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
+ RSP: 0018:ffff88003d591df8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
+ RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
+ R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
+ R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
+ FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
+ Stack:
+ ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
+ ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
+ ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
+ Call Trace:
+ [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
+ [<ffffffff8117bfea>] user_update+0x8d/0xa2
+ [<ffffffff8117723a>] key_create_or_update+0x236/0x270
+ [<ffffffff811789b1>] sys_add_key+0x123/0x17e
+ [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Jeff Layton <jlayton@redhat.com>
+Acked-by: Neil Horman <nhorman@redhat.com>
+Acked-by: Steve Dickson <steved@redhat.com>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ security/keys/user_defined.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
+index e9aa079..d6781b9 100644
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -119,7 +119,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
+ key->expiry = 0;
+ }
+
+- call_rcu(&zap->rcu, user_update_rcu_disposal);
++ if (zap)
++ call_rcu(&zap->rcu, user_update_rcu_disposal);
+
+ error:
+ return ret;
+--
+1.7.7.1
+
diff --git a/freed-ora/current/f14/kernel.spec b/freed-ora/current/f14/kernel.spec
index b43c0d4ba..01607cf51 100644
--- a/freed-ora/current/f14/kernel.spec
+++ b/freed-ora/current/f14/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
-%global baserelease 105
+%global baserelease 106
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -945,6 +945,9 @@ Patch21060: crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
#rhbz 755590
Patch21061: ipv6-udp-fix-the-wrong-headroom-check.patch
+#rhbz 756168
+Patch21062: KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1790,6 +1793,9 @@ ApplyPatch crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
#rhbz 755590
ApplyPatch ipv6-udp-fix-the-wrong-headroom-check.patch
+#rhbz 756168
+ApplyPatch KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch
+
# END OF PATCH APPLICATIONS
# Linux-libre-specific, added by Koko's request for BLAG.
@@ -2379,6 +2385,9 @@ fi
# and build.
%changelog
+* Tue Nov 22 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-106
+- CVE-2011-4110 keys: NULL pointer deref in the user-defined key type
+
* Mon Nov 21 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-105
- CVE-2011-4326: wrong headroom check in udp6_ufo_fragment() (rhbz 755590)
OpenPOWER on IntegriCloud