diff options
author | Dan Ziemba | 2016-01-19 22:22:12 -0500 |
---|---|---|
committer | Dan Ziemba | 2016-01-19 22:22:12 -0500 |
commit | 395dd26e9be85bab67ecc740881877d2660c8f54 (patch) | |
tree | 6e112199cc48f8a5fe5232c3e835c3aca59bfc41 | |
parent | 609389d6f65100aba8865bedf38ef80d53e115d3 (diff) | |
download | aur-395dd26e9be85bab67ecc740881877d2660c8f54.tar.gz |
Patch for CVE-2016-0728
-rw-r--r-- | .SRCINFO | 6 | ||||
-rw-r--r-- | KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch | 75 | ||||
-rw-r--r-- | PKGBUILD | 8 |
3 files changed, 87 insertions, 2 deletions
@@ -1,6 +1,8 @@ +# Generated by mksrcinfo v8 +# Wed Jan 20 03:20:36 UTC 2016 pkgbase = linux-vfio-lts pkgver = 4.1.15 - pkgrel = 1 + pkgrel = 2 url = http://www.kernel.org/ arch = i686 arch = x86_64 @@ -19,6 +21,7 @@ pkgbase = linux-vfio-lts source = config.x86_64 source = linux.preset source = change-default-console-loglevel.patch + source = KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch source = override_for_missing_acs_capabilities.patch source = i915_317.patch sha256sums = caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f @@ -29,6 +32,7 @@ pkgbase = linux-vfio-lts sha256sums = ee55d469a4c00b6fb4144549f2a9c5b84d9fe7948c7cbd2637dce72227392b4f sha256sums = f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99 + sha256sums = b6ce060a6997861e14d1061d72b96c35476e8967dd26c8020fcff4a5f0fe453d sha256sums = 975f79348119bfba8dd972a9fbfe6b38484c45bfd228f2f6d48a0c02426ba149 sha256sums = 65faab45248008810b0a5f27162101a34dfe298c14d3506e52236c680353d7f8 diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000000..9c6a9697387d --- /dev/null +++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,75 @@ +From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001 +From: Yevgeny Pats <yevgeny@perception-point.io> +Date: Mon, 11 Jan 2016 12:05:28 +0000 +Subject: KEYS: Fix keyring ref leak in join_session_keyring() + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index a3f85d2..e6d50172 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.7.0.rc3 + @@ -7,7 +7,7 @@ _srcname=linux-4.1 # / | \ # SKY NET pkgver=4.1.15 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="http://www.kernel.org/" license=('GPL2') @@ -22,6 +22,7 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" # standard config files for mkinitcpio ramdisk 'linux.preset' 'change-default-console-loglevel.patch' + 'KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch' 'override_for_missing_acs_capabilities.patch' 'i915_317.patch' ) @@ -33,6 +34,7 @@ sha256sums=('caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f' 'ee55d469a4c00b6fb4144549f2a9c5b84d9fe7948c7cbd2637dce72227392b4f' 'f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' + 'b6ce060a6997861e14d1061d72b96c35476e8967dd26c8020fcff4a5f0fe453d' '975f79348119bfba8dd972a9fbfe6b38484c45bfd228f2f6d48a0c02426ba149' '65faab45248008810b0a5f27162101a34dfe298c14d3506e52236c680353d7f8') validpgpkeys=( @@ -62,6 +64,10 @@ prepare() { cat "${srcdir}/config" > ./.config fi + # patch for CVE-2016-0728 + # https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=jessie-security&id=0ac8c3e88cf1ea329ede357f2a01a9b1a8734e24 + patch -Np1 -i "${srcdir}/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch" + # patches for vga arbiter fix in intel systems patch -Np1 -i "${srcdir}/i915_317.patch" |