| From security-bounces@linux.kernel.org Wed Aug 3 05:19:32 2005 |
| From: David Howells <dhowells@redhat.com> |
| To: security@kernel.org |
| Date: Wed, 03 Aug 2005 13:19:03 +0100 |
| Cc: |
| Subject: CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned |
| |
| The attached patch prevents an error during the key session joining operation |
| from hanging future joins in the D state [CAN-2005-2098]. |
| |
| The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING |
| operation has one error path that doesn't release the session management |
| semaphore. Further attempts to get the semaphore will then sleep for ever in |
| the D state. |
| |
| This can happen in four situations, all involving an attempt to allocate a new |
| session keyring: |
| |
| (1) ENOMEM. |
| |
| (2) The users key quota being reached. |
| |
| (3) A keyring name that is an empty string. |
| |
| (4) A keyring name that is too long. |
| |
| Any user may attempt this operation, and so any user can cause the problem to |
| occur. |
| |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Chris Wright <chrisw@osdl.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| security/keys/process_keys.c | 2 +- |
| 1 files changed, 1 insertion(+), 1 deletion(-) |
| |
| Index: linux-2.6.12.y/security/keys/process_keys.c |
| =================================================================== |
| --- linux-2.6.12.y.orig/security/keys/process_keys.c |
| +++ linux-2.6.12.y/security/keys/process_keys.c |
| @@ -641,7 +641,7 @@ long join_session_keyring(const char *na |
| keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL); |
| if (IS_ERR(keyring)) { |
| ret = PTR_ERR(keyring); |
| - goto error; |
| + goto error2; |
| } |
| } |
| else if (IS_ERR(keyring)) { |