Bug#323039: CAN-2005-2098/CAN-2005-2099: keyring related DoS

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#323039: CAN-2005-2098/CAN-2005-2099: keyring related DoS
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 14 Aug 2005 13:15:07 +0200
Message-id: <[🔎] E1E4GSK-0001SU-1o@localhost.localdomain>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 323039@bugs.debian.org

Package: linux-2.6
Severity: important
Tags: security patch

Hi,
two keyring related DoS vulnerabilities have been fixed in
2.6.13-rc6 (CAN-2005-209[89]). I'm copying the relevant changelog
portions with git commit ids:

Cheers,
        Moritz

commit 94efe72f762e2c147d8146d637d5ece5614c8d94
Author: David Howells <dhowells@redhat.com>
Date:   Thu Aug 4 13:07:07 2005 -0700

    [PATCH] Destruction of failed keyring oopses

    The attached patch makes sure that a keyring that failed to instantiate
    properly is destroyed without oopsing [CAN-2005-2099].

    The problem occurs in three stages:

     (1) The key allocator initialises the type-specific data to all zeroes. In
         the case of a keyring, this will become a link in the keyring name list
         when the keyring is instantiated.

     (2) If a user (any user) attempts to add a keyring with anything other than
         an empty payload, the keyring instantiation function will fail with an
         error and won't add the keyring to the name list.

     (3) The keyring's destructor then sees that the keyring has a description
         (name) and tries to remove the keyring from the name list, which oopses
         because the link pointers are both zero.

    This bug permits any user to take down a box trivially.

    Signed-Off-By: David Howells <dhowells@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit bcf945d36fa0598f41ac4ad46a9dc43135460263
Author: David Howells <dhowells@redhat.com>
Date:   Thu Aug 4 13:07:06 2005 -0700

    [PATCH] Error during attempt to join key management session can leave semaphore pinned

    The attached patch prevents an error during the key session joining operation
    from hanging future joins in the D state [CAN-2005-2098].

    The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING
    operation has one error path that doesn't release the session management
    semaphore. Further attempts to get the semaphore will then sleep for ever in
    the D state.

    This can happen in four situations, all involving an attempt to allocate a new
    session keyring:

     (1) ENOMEM.

     (2) The users key quota being reached.

     (3) A keyring name that is an empty string.

     (4) A keyring name that is too long.

    Any user may attempt this operation, and so any user can cause the problem to
    occur.

    Signed-Off-By: David Howells <dhowells@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Reply to:

Follow-Ups:
- Bug#323039: CAN-2005-2098/CAN-2005-2099: keyring related DoS
  - From: Horms <horms@debian.org>
- Bug#323039: CAN-2005-2098/CAN-2005-2099: keyring related DoS
  - From: Horms <horms@debian.org>
- Bug#323039: marked as done (CAN-2005-2098/CAN-2005-2099: keyring related DoS)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: severity of 322680 is grave
Next by Date: CAN-2005-1761: Unspecified DoS through stack fault exceptions / SuSE specific?
Previous by thread: Processed: severity of 322680 is grave
Next by thread: Bug#323039: CAN-2005-2098/CAN-2005-2099: keyring related DoS
Index(es):
- Date
- Thread