ACK: [Trusty SRU] Fix CVE-2017-6951

Colin Ian King colin.king at canonical.com
Thu Aug 24 14:56:34 UTC 2017 

On 24/08/17 15:52, Stefan Bader wrote:
> From 83b740311f54141b54f8684f131f2eb6e17e3891 Mon Sep 17 00:00:00 2001
> From: David Howells <dhowells at redhat.com>
> Date: Tue, 18 Apr 2017 15:31:08 +0100
> Subject: [PATCH] KEYS: Change the name of the dead type to ".dead" to prevent
>  user access
> 
> This fixes CVE-2017-6951.
> 
> Userspace should not be able to do things with the "dead" key type as it
> doesn't have some of the helper functions set upon it that the kernel
> needs.  Attempting to use it may cause the kernel to crash.
> 
> Fix this by changing the name of the type to ".dead" so that it's rejected
> up front on userspace syscalls by key_get_type_from_user().
> 
> Though this doesn't seem to affect recent kernels, it does affect older
> ones, certainly those prior to:
> 
> 	commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
> 	Author: David Howells <dhowells at redhat.com>
> 	Date:   Tue Sep 16 17:36:06 2014 +0100
> 	KEYS: Remove key_type::match in favour of overriding default by match_preparse
> 
> which went in before 3.18-rc1.
> 
> Signed-off-by: David Howells <dhowells at redhat.com>
> cc: stable at vger.kernel.org
> 
> CVE-2017-6951
> 
> (cherry-picked from commit c1644fe041ebaf6519f6809146a77c3ead9193af)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  Notes:
>  - From how I read the comments all kernels after 3.18-rc1 were not
>    affected. But even then this patch would not hurt. And it was
>    indeed picked up by 4.4.y in Xenial.
>  - Any kernels before 4.18-rc1 would be fixed by this patch alone
>    which is much less complicated to pull backwards (still a
>    cherry-pick for Trusty).
>  - So beside of adding this patch for Trusty we have to update the
>    cve triaging in a way that either of the two SHA1s is ok.
> 
> -Stefan
> 
>  security/keys/gc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/keys/gc.c b/security/keys/gc.c
> index 4a78033..da715eb 100644
> --- a/security/keys/gc.c
> +++ b/security/keys/gc.c
> @@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
>   * immediately unlinked.
>   */
>  struct key_type key_type_dead = {
> -	.name = "dead",
> +	.name = ".dead",
>  };
>  
>  /*
> 

that's a novel fix. Clean cherry pick. Looks OK to me.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list