aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2006-04-10 10:15:21 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-04-10 12:33:46 -0400
commitc3a9d6541f84ac3ff566982d08389b87c1c36b4e (patch)
tree161e507b276105b35dadf0c2637be9f018b0f664
parent460fbf82c0842cad3f3c744c4dcb81978b7829f3 (diff)
[Security] Keys: Fix oops when adding key to non-keyring
This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--security/keys/key.c4
-rw-r--r--security/keys/keyring.c1
2 files changed, 5 insertions, 0 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index a057e3311aa..b6061fa29da 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
785 785
786 key_check(keyring); 786 key_check(keyring);
787 787
788 key_ref = ERR_PTR(-ENOTDIR);
789 if (keyring->type != &key_type_keyring)
790 goto error_2;
791
788 down_write(&keyring->sem); 792 down_write(&keyring->sem);
789 793
790 /* if we're going to allocate a new key, we're going to have 794 /* if we're going to allocate a new key, we're going to have
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d65a180f888..bffa924c1f8 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
437/* 437/*
438 * search the given keyring only (no recursion) 438 * search the given keyring only (no recursion)
439 * - keyring must be locked by caller 439 * - keyring must be locked by caller
440 * - caller must guarantee that the keyring is a keyring
440 */ 441 */
441key_ref_t __keyring_search_one(key_ref_t keyring_ref, 442key_ref_t __keyring_search_one(key_ref_t keyring_ref,
442 const struct key_type *ktype, 443 const struct key_type *ktype,