diff options
author | David Howells <dhowells@redhat.com> | 2006-04-10 10:15:21 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-04-10 12:33:46 -0400 |
commit | c3a9d6541f84ac3ff566982d08389b87c1c36b4e (patch) | |
tree | 161e507b276105b35dadf0c2637be9f018b0f664 | |
parent | 460fbf82c0842cad3f3c744c4dcb81978b7829f3 (diff) |
[Security] Keys: Fix oops when adding key to non-keyring
This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].
The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.
I've fixed this problem by:
(1) declaring that caller of __keyring_search_one() must guarantee that
the keyring is a keyring; and
(2) making key_create_or_update() check that the keyring is a keyring,
and return -ENOTDIR if it isn't.
This can be tested by:
keyctl add user b b `keyctl add user a a @s`
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | security/keys/key.c | 4 | ||||
-rw-r--r-- | security/keys/keyring.c | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index a057e3311aa..b6061fa29da 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
785 | 785 | ||
786 | key_check(keyring); | 786 | key_check(keyring); |
787 | 787 | ||
788 | key_ref = ERR_PTR(-ENOTDIR); | ||
789 | if (keyring->type != &key_type_keyring) | ||
790 | goto error_2; | ||
791 | |||
788 | down_write(&keyring->sem); | 792 | down_write(&keyring->sem); |
789 | 793 | ||
790 | /* if we're going to allocate a new key, we're going to have | 794 | /* if we're going to allocate a new key, we're going to have |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d65a180f888..bffa924c1f8 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); | |||
437 | /* | 437 | /* |
438 | * search the given keyring only (no recursion) | 438 | * search the given keyring only (no recursion) |
439 | * - keyring must be locked by caller | 439 | * - keyring must be locked by caller |
440 | * - caller must guarantee that the keyring is a keyring | ||
440 | */ | 441 | */ |
441 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, | 442 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, |
442 | const struct key_type *ktype, | 443 | const struct key_type *ktype, |