Ack: [PATCH Natty CVE-2012-2745] cred: copy_process() should clear child->replacement_session_keyring

Brad Figg brad.figg at canonical.com
Wed Sep 5 19:47:05 UTC 2012


On 09/05/2012 12:31 PM, Tim Gardner wrote:
> From: Oleg Nesterov <oleg at redhat.com>
> 
> CVE-2012-2745
> 
> BugLink: http://bugs.launchpad.net/bugs/1023535
> 
> keyctl_session_to_parent(task) sets ->replacement_session_keyring,
> it should be processed and cleared by key_replace_session_keyring().
> 
> However, this task can fork before it notices TIF_NOTIFY_RESUME and
> the new child gets the bogus ->replacement_session_keyring copied by
> dup_task_struct(). This is obviously wrong and, if nothing else, this
> leads to put_cred(already_freed_cred).
> 
> change copy_creds() to clear this member. If copy_process() fails
> before this point the wrong ->replacement_session_keyring doesn't
> matter, exit_creds() won't be called.
> 
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> Acked-by: David Howells <dhowells at redhat.com>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 79549c6dfda0603dba9a70a53467ce62d9335c33)
> 
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
>  kernel/cred.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/cred.c b/kernel/cred.c
> index 3a9d6dd..183543f 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -384,6 +384,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
>  	struct cred *new;
>  	int ret;
>  
> +	p->replacement_session_keyring = NULL;
> +
>  	if (
>  #ifdef CONFIG_KEYS
>  		!p->cred->thread_keyring &&
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list