KEYS: Make the keyring cycle detector ignore other keyrings of the same name
This fixes CVE-2014-0102.
The following command sequence produces an oops:
i=`keyctl newring _ses @s`
keyctl link @s $i
The problem is that search_nested_keyrings() sees two keyrings that have
matching type and description, so keyring_compare_object() returns true.
s_n_k() then passes the key to the iterator function -
keyring_detect_cycle_iterator() - which *should* check to see whether this is
the keyring of interest, not just one with the same name.
Because assoc_array_find() will return one and only one match, I assumed that
the iterator function would only see an exact match or never be called - but
the iterator isn't only called from assoc_array_find()...
The oops looks something like this:
kernel BUG at /data/fs/linux-2.6-fscache/security/keys/keyring.c:1003!
invalid opcode: 0000 [#1] SMP
The fix is to make keyring_detect_cycle_iterator() check that the key it
has is the key it was actually looking for rather than calling BUG_ON().
A testcase has been included in the keyutils testsuite for this:
Reported-by: Tommi Rantala <email@example.com>
Signed-off-by: David Howells <firstname.lastname@example.org>
Acked-by: James Morris <email@example.com>
Signed-off-by: Linus Torvalds <firstname.lastname@example.org>
1 file changed