Bug#307553: marked as done (CAN-2005-1368: DoS possibility through inproper SMP race handling in key_user_lookup())
Your message dated Fri, 13 May 2005 17:17:52 -0400
with message-id <E1DWhXc-0007JY-00@newraff.debian.org>
and subject line Bug#307553: fixed in kernel-source-2.6.11 2.6.11-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 May 2005 21:41:26 +0000
>From jmm@inutil.org Tue May 03 14:41:26 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DT58w-0006o5-00; Tue, 03 May 2005 14:41:26 -0700
Received: from p54895ceb.dip.t-dialin.net ([84.137.92.235] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DT58m-0003Wo-2i
for submit@bugs.debian.org; Tue, 03 May 2005 23:41:16 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DT58r-0001kI-NV; Tue, 03 May 2005 23:41:21 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-1368: DoS possibility through inproper SMP race handling in
key_user_lookup()
X-Mailer: reportbug 3.11
Date: Tue, 03 May 2005 23:41:21 +0200
Message-Id: <[🔎] E1DT58r-0001kI-NV@localhost.localdomain>
X-SA-Exim-Connect-IP: 84.137.92.235
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kernel-source-2.6.8
Severity: important
Tags: security
<akpm@osdl.org>
[PATCH] Fix reproducible SMP crash in security/keys/key.c
Jani Jaakkola <jjaakkol@cs.Helsinki.FI> wrote:
>
> SMP race handling is broken in key_user_lookup() in security/keys/key.c
This was fixed post-2.6.11. Can you confirm that 2.6.12-rc2 works OK?
This is the patch we used. It should go into -stable if it's not already
there.
From: Alexander Nyberg <alexn@dsv.su.se>
I looked at some of the oops reports against keyrings, I think the problem
is that the search isn't restarted after dropping the key_user_lock, *p
will still be NULL when we get back to try_again and look through the tree.
It looks like the intention was that the search start over from scratch.
Signed-off-by: Alexander Nyberg <alexn@dsv.su.se>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The fix is part of the 2.6.11.8 series:
www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.11.7-8.bz2;z=13
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
---------------------------------------
Received: (at 307553-close) by bugs.debian.org; 13 May 2005 21:26:19 +0000
>From katie@ftp-master.debian.org Fri May 13 14:26:19 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWhfn-0004WP-00; Fri, 13 May 2005 14:26:19 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DWhXc-0007JY-00; Fri, 13 May 2005 17:17:52 -0400
From: Andres Salomon <dilinger@debian.org>
To: 307553-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#307553: fixed in kernel-source-2.6.11 2.6.11-4
Message-Id: <E1DWhXc-0007JY-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 13 May 2005 17:17:52 -0400
Delivered-To: 307553-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: kernel-source-2.6.11
Source-Version: 2.6.11-4
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.11, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.11_2.6.11-4_all.deb
to pool/main/k/kernel-source-2.6.11/kernel-doc-2.6.11_2.6.11-4_all.deb
kernel-patch-debian-2.6.11_2.6.11-4_all.deb
to pool/main/k/kernel-source-2.6.11/kernel-patch-debian-2.6.11_2.6.11-4_all.deb
kernel-source-2.6.11_2.6.11-4.diff.gz
to pool/main/k/kernel-source-2.6.11/kernel-source-2.6.11_2.6.11-4.diff.gz
kernel-source-2.6.11_2.6.11-4.dsc
to pool/main/k/kernel-source-2.6.11/kernel-source-2.6.11_2.6.11-4.dsc
kernel-source-2.6.11_2.6.11-4_all.deb
to pool/main/k/kernel-source-2.6.11/kernel-source-2.6.11_2.6.11-4_all.deb
kernel-tree-2.6.11_2.6.11-4_all.deb
to pool/main/k/kernel-source-2.6.11/kernel-tree-2.6.11_2.6.11-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 307553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated kernel-source-2.6.11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 12 May 2005 00:02:21 -0400
Source: kernel-source-2.6.11
Binary: kernel-source-2.6.11 kernel-patch-debian-2.6.11 kernel-tree-2.6.11 kernel-doc-2.6.11
Architecture: source all
Version: 2.6.11-4
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Description:
kernel-doc-2.6.11 - Linux kernel specific documentation for version 2.6.11
kernel-patch-debian-2.6.11 - Debian patches to Linux 2.6.11
kernel-source-2.6.11 - Linux kernel source for version 2.6.11 with Debian patches
kernel-tree-2.6.11 - Linux kernel source tree for building Debian kernel images
Closes: 307553
Changes:
kernel-source-2.6.11 (2.6.11-4) unstable; urgency=low
.
* [sparc64] Replaced sparc-sunsab-serial-lockup.patch by a more
official version approved by upstream (sunsab-uart-update-timeout.patch)
which appears to perform marginally better (Jurij Smakov).
Ref: http://lists.debian.org/debian-sparc/2005/04/msg00025.html
.
* [sparc64] Added sparc64-compat-nanoseconds.patch which takes care
of correctly filling out nanoseconds fields for 32-bit compat tasks
in the sparc64 compat layer (Jurij Smakov).
Ref: http://marc.theaimsgroup.com/?l=linux-sparc&m=111273516700128&w=2
.
* sparc64-sigpoll-2.6.11.patch:
[sparc64] Correctly fill out the siginfo_t fields upon delivery
of SIGPOLL and friends (Jurij Smakov)
.
* sparc64-sunsu-init-2.6.11.patch:
[sparc64] Patch by David Miller to fix the initialization of the
sunsu serial driver. Mouse connected to the serial port is now
detected properly. (Jurij Smakov)
Ref: http://lists.debian.org/debian-sparc/2005/04/msg00203.html
.
* Merge in 2.6.11.8; this includes:
o uml: quick fix syscall table
o modprobe bttv freezes the computer
o I2C: Fix incorrect sysfs file permissions in it87 and via686a drivers
See CAN-2005-1369
o Fix reproducible SMP crash in security/keys/key.c
See CAN-2005-1368. (closes: #307553)
o sparc: Fix PTRACE_CONT bogosity
o sparc64: use message queue compat syscalls
(Maximilian Attems)
.
* [alpha] Fixed compile problem in include/asm-alpha/spinlock.h
(Norbert Tretkowski)
.
* Merge in 2.6.11.9; this includes:
o Remove bogus BUG() in kernel/exit.c
o Security contact info
o Cset exclude:
khali <at> linux-fr.org[gregkh]|ChangeSet|20050430010004|65088
o fix Linux kernel ELF core dump privilege elevation
o I2C: Fix incorrect sysfs file permissions in it87 and
via686a drivers
(Andres Salomon)
Files:
dc137008c9d0a9028b1fe5d1eba0287f 997 devel optional kernel-source-2.6.11_2.6.11-4.dsc
b0c2e30db361e1d646adefcfa5c518c5 321472 devel optional kernel-source-2.6.11_2.6.11-4.diff.gz
a5e13b0ba3b91429b5370ef91ae65807 323398 devel optional kernel-patch-debian-2.6.11_2.6.11-4_all.deb
cb7e0605036269dc362c95b066a0f696 36218332 devel optional kernel-source-2.6.11_2.6.11-4_all.deb
d59f7139ac143f1ea5907d7cd7d2cc2d 39786 devel optional kernel-tree-2.6.11_2.6.11-4_all.deb
1c39dc7080e672add0e161f3662d81d9 6860388 doc optional kernel-doc-2.6.11_2.6.11-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFChFhF2WTeT3CRQaQRAtQ/AJkB87kkW6xaEkIp0tluLlXc/AoJoACeJ6/3
InzZmvKHDSAEhPwMgG4WFic=
=vWS3
-----END PGP SIGNATURE-----
Reply to: