| From c1644fe041ebaf6519f6809146a77c3ead9193af Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Tue, 18 Apr 2017 15:31:08 +0100 |
| Subject: KEYS: Change the name of the dead type to ".dead" to prevent user access |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream. |
| |
| This fixes CVE-2017-6951. |
| |
| Userspace should not be able to do things with the "dead" key type as it |
| doesn't have some of the helper functions set upon it that the kernel |
| needs. Attempting to use it may cause the kernel to crash. |
| |
| Fix this by changing the name of the type to ".dead" so that it's rejected |
| up front on userspace syscalls by key_get_type_from_user(). |
| |
| Though this doesn't seem to affect recent kernels, it does affect older |
| ones, certainly those prior to: |
| |
| commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 |
| Author: David Howells <dhowells@redhat.com> |
| Date: Tue Sep 16 17:36:06 2014 +0100 |
| KEYS: Remove key_type::match in favour of overriding default by match_preparse |
| |
| which went in before 3.18-rc1. |
| |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/keys/gc.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/security/keys/gc.c |
| +++ b/security/keys/gc.c |
| @@ -46,7 +46,7 @@ static unsigned long key_gc_flags; |
| * immediately unlinked. |
| */ |
| struct key_type key_type_dead = { |
| - .name = "dead", |
| + .name = ".dead", |
| }; |
| |
| /* |