Ack: [PATCH Lucid CVE-2012-2745] cred: copy_process() should clear child->replacement_session_keyring
Brad Figg
brad.figg at canonical.com
Wed Sep 5 19:47:25 UTC 2012
On 09/05/2012 12:35 PM, Tim Gardner wrote:
> From: Oleg Nesterov <oleg at redhat.com>
>
> CVE-2012-2745
>
> BugLink: http://bugs.launchpad.net/bugs/1023535
>
> keyctl_session_to_parent(task) sets ->replacement_session_keyring,
> it should be processed and cleared by key_replace_session_keyring().
>
> However, this task can fork before it notices TIF_NOTIFY_RESUME and
> the new child gets the bogus ->replacement_session_keyring copied by
> dup_task_struct(). This is obviously wrong and, if nothing else, this
> leads to put_cred(already_freed_cred).
>
> change copy_creds() to clear this member. If copy_process() fails
> before this point the wrong ->replacement_session_keyring doesn't
> matter, exit_creds() won't be called.
>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> Acked-by: David Howells <dhowells at redhat.com>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (back ported from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> kernel/cred.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index 0b5b5fc..6ffd433 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -442,6 +442,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
> int ret;
>
> mutex_init(&p->cred_guard_mutex);
> + p->replacement_session_keyring = NULL;
>
> if (
> #ifdef CONFIG_KEYS
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list