Ack: [PATCH Natty CVE-2012-2745] cred: copy_process() should clear child->replacement_session_keyring
Brad Figg
brad.figg at canonical.com
Wed Sep 5 19:47:05 UTC 2012
On 09/05/2012 12:31 PM, Tim Gardner wrote:
> From: Oleg Nesterov <oleg at redhat.com>
>
> CVE-2012-2745
>
> BugLink: http://bugs.launchpad.net/bugs/1023535
>
> keyctl_session_to_parent(task) sets ->replacement_session_keyring,
> it should be processed and cleared by key_replace_session_keyring().
>
> However, this task can fork before it notices TIF_NOTIFY_RESUME and
> the new child gets the bogus ->replacement_session_keyring copied by
> dup_task_struct(). This is obviously wrong and, if nothing else, this
> leads to put_cred(already_freed_cred).
>
> change copy_creds() to clear this member. If copy_process() fails
> before this point the wrong ->replacement_session_keyring doesn't
> matter, exit_creds() won't be called.
>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> Acked-by: David Howells <dhowells at redhat.com>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> kernel/cred.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index 3a9d6dd..183543f 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -384,6 +384,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
> struct cred *new;
> int ret;
>
> + p->replacement_session_keyring = NULL;
> +
> if (
> #ifdef CONFIG_KEYS
> !p->cred->thread_keyring &&
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list