[PATCH Lucid CVE-2012-2745] cred: copy_process() should clear child->replacement_session_keyring

[Tim Gardner]

From: Oleg Nesterov <oleg at redhat.com>

CVE-2012-2745

BugLink: http://bugs.launchpad.net/bugs/1023535

keyctl_session_to_parent(task) sets ->replacement_session_keyring,
it should be processed and cleared by key_replace_session_keyring().

However, this task can fork before it notices TIF_NOTIFY_RESUME and
the new child gets the bogus ->replacement_session_keyring copied by
dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).

change copy_creds() to clear this member. If copy_process() fails
before this point the wrong ->replacement_session_keyring doesn't
matter, exit_creds() won't be called.

Cc: <stable at vger.kernel.org>
Signed-off-by: Oleg Nesterov <oleg at redhat.com>
Acked-by: David Howells <dhowells at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(back ported from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)

Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 kernel/cred.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/cred.c b/kernel/cred.c
index 0b5b5fc..6ffd433 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -442,6 +442,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
 	int ret;
 
 	mutex_init(&p->cred_guard_mutex);
+	p->replacement_session_keyring = NULL;
 
 	if (
 #ifdef CONFIG_KEYS
-- 
1.7.9.5