mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-05 16:37:50 +00:00
[Security] Keys: Fix oops when adding key to non-keyring
This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
460fbf82c0
commit
c3a9d6541f
2 changed files with 5 additions and 0 deletions
|
@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
|
||||||
|
|
||||||
key_check(keyring);
|
key_check(keyring);
|
||||||
|
|
||||||
|
key_ref = ERR_PTR(-ENOTDIR);
|
||||||
|
if (keyring->type != &key_type_keyring)
|
||||||
|
goto error_2;
|
||||||
|
|
||||||
down_write(&keyring->sem);
|
down_write(&keyring->sem);
|
||||||
|
|
||||||
/* if we're going to allocate a new key, we're going to have
|
/* if we're going to allocate a new key, we're going to have
|
||||||
|
|
|
@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
|
||||||
/*
|
/*
|
||||||
* search the given keyring only (no recursion)
|
* search the given keyring only (no recursion)
|
||||||
* - keyring must be locked by caller
|
* - keyring must be locked by caller
|
||||||
|
* - caller must guarantee that the keyring is a keyring
|
||||||
*/
|
*/
|
||||||
key_ref_t __keyring_search_one(key_ref_t keyring_ref,
|
key_ref_t __keyring_search_one(key_ref_t keyring_ref,
|
||||||
const struct key_type *ktype,
|
const struct key_type *ktype,
|
||||||
|
|
Loading…
Reference in a new issue