Re: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()

From: Greg KH
Date: Wed Jan 20 2016 - 03:20:51 EST


On Tue, Jan 19, 2016 at 10:09:04PM +0000, David Howells wrote:
> From: Yevgeny Pats <yevgeny@xxxxxxxxxxxxxxxxxxx>
>
> This fixes CVE-2016-0728.
>
> If a thread is asked to join as a session keyring the keyring that's already
> set as its session, we leak a keyring reference.
>
> This can be tested with the following program:
>
> #include <stddef.h>
> #include <stdio.h>
> #include <sys/types.h>
> #include <keyutils.h>
>
> int main(int argc, const char *argv[])
> {
> int i = 0;
> key_serial_t serial;
>
> serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
> "leaked-keyring");
> if (serial < 0) {
> perror("keyctl");
> return -1;
> }
>
> if (keyctl(KEYCTL_SETPERM, serial,
> KEY_POS_ALL | KEY_USR_ALL) < 0) {
> perror("keyctl");
> return -1;
> }
>
> for (i = 0; i < 100; i++) {
> serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
> "leaked-keyring");
> if (serial < 0) {
> perror("keyctl");
> return -1;
> }
> }
>
> return 0;
> }
>
> If, after the program has run, there something like the following line in
> /proc/keys:
>
> 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
>
> with a usage count of 100 * the number of times the program has been run,
> then the kernel is malfunctioning. If leaked-keyring has zero usages or
> has been garbage collected, then the problem is fixed.
>
> Reported-by: Yevgeny Pats <yevgeny@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Acked-by: Don Zickus <dzickus@xxxxxxxxxx>
> Acked-by: Prarit Bhargava <prarit@xxxxxxxxxx>
> Acked-by: Jarod Wilson <jarod@xxxxxxxxxx>

Any reason you didn't tag this for stable kernels?

thanks,

greg k-h