[PATCH Natty CVE-2012-2745] cred: copy_process() should clear child->replacement_session_keyring

[Tim Gardner]

From: Oleg Nesterov <oleg at redhat.com>

CVE-2012-2745

BugLink: http://bugs.launchpad.net/bugs/1023535

keyctl_session_to_parent(task) sets ->replacement_session_keyring,
it should be processed and cleared by key_replace_session_keyring().

However, this task can fork before it notices TIF_NOTIFY_RESUME and
the new child gets the bogus ->replacement_session_keyring copied by
dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).

change copy_creds() to clear this member. If copy_process() fails
before this point the wrong ->replacement_session_keyring doesn't
matter, exit_creds() won't be called.

Cc: <stable at vger.kernel.org>
Signed-off-by: Oleg Nesterov <oleg at redhat.com>
Acked-by: David Howells <dhowells at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)

Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 kernel/cred.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/cred.c b/kernel/cred.c
index 3a9d6dd..183543f 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -384,6 +384,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
 	struct cred *new;
 	int ret;
 
+	p->replacement_session_keyring = NULL;
+
 	if (
 #ifdef CONFIG_KEYS
 		!p->cred->thread_keyring &&
-- 
1.7.9.5