diff --git a/debian/changelog b/debian/changelog index 6223f6eea..5fc7ec941 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,12 +1,11 @@ linux-2.6 (2.6.12-3) UNRELEASED; urgency=low - [ Bastian Blank ] * Added reference to old kernel-* package names to make transition a little more obvious to end users. - A Dan Jacobson special. Closes: #321167 + A Dan Jacobson special. (Simon Horman) Closes: #321167 * By the time this makes it into the archive, it will - be handling kernel-image-2.6-* packages. + be handling kernel-image-2.6-* packages. (Simon Horman) Closes: #321867 * Link palinfo statically on ia64. (dann frazier) (Closes: #321885) @@ -35,7 +34,19 @@ linux-2.6 (2.6.12-3) UNRELEASED; urgency=low toolchain in sid. Many thanks go to GOTO Masanori and Matthias Klose as well as any other who worked on the biarch toolchain to make this happen. - -- Sven Luther Sun, 14 Aug 2005 15:21:37 +0200 + * [security] + security-keys-destructor-oops.patch + Fix keyring destructor + See CAN-2005-2099 (Simon Horman) + Closes: #323039 + + * [security] + security-keys-session-join.patch + Fix error during session join + See CAN-2005-2098 (Simon Horman) + Closes: #323039 + + -- Simon Horman Mon, 15 Aug 2005 17:41:42 +0900 linux-2.6 (2.6.12-2) unstable; urgency=low diff --git a/debian/patches-debian/security-keys-destructor-oops.patch b/debian/patches-debian/security-keys-destructor-oops.patch new file mode 100644 index 000000000..45abea317 --- /dev/null +++ b/debian/patches-debian/security-keys-destructor-oops.patch @@ -0,0 +1,55 @@ +commit 94efe72f762e2c147d8146d637d5ece5614c8d94 +tree 002e4719541ad838342e01a5f8ff63ae0a618b29 +parent bcf945d36fa0598f41ac4ad46a9dc43135460263 +author David Howells 1123186027 -0700 +committer Linus Torvalds 1123186274 -0700 + +[PATCH] Destruction of failed keyring oopses + +The attached patch makes sure that a keyring that failed to instantiate +properly is destroyed without oopsing [CAN-2005-2099]. + +The problem occurs in three stages: + + (1) The key allocator initialises the type-specific data to all zeroes. In + the case of a keyring, this will become a link in the keyring name list + when the keyring is instantiated. + + (2) If a user (any user) attempts to add a keyring with anything other than + an empty payload, the keyring instantiation function will fail with an + error and won't add the keyring to the name list. + + (3) The keyring's destructor then sees that the keyring has a description + (name) and tries to remove the keyring from the name list, which oopses + because the link pointers are both zero. + +This bug permits any user to take down a box trivially. + +Signed-Off-By: David Howells +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M security/keys/keyring.c + +Key: +S: Skipped +I: Included Included verbatim +D: Deleted Manually deleted by subsequent user edit +R: Revised Manually revised by subsequent user edit + +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -201,7 +201,11 @@ static void keyring_destroy(struct key * + + if (keyring->description) { + write_lock(&keyring_name_lock); +- list_del(&keyring->type_data.link); ++ ++ if (keyring->type_data.link.next != NULL && ++ !list_empty(&keyring->type_data.link)) ++ list_del(&keyring->type_data.link); ++ + write_unlock(&keyring_name_lock); + } + diff --git a/debian/patches-debian/security-keys-session-join.patch b/debian/patches-debian/security-keys-session-join.patch new file mode 100644 index 000000000..9ea00539e --- /dev/null +++ b/debian/patches-debian/security-keys-session-join.patch @@ -0,0 +1,54 @@ +commit bcf945d36fa0598f41ac4ad46a9dc43135460263 +tree 7a2aa188442bf863f20055a001baf85143d7a5b9 +parent 6fb0caa42308923d9e4ed7b36ec077b97c107e24 +author David Howells 1123186026 -0700 +committer Linus Torvalds 1123186274 -0700 + +[PATCH] Error during attempt to join key management session can leave semaphore pinned + +The attached patch prevents an error during the key session joining operation +from hanging future joins in the D state [CAN-2005-2098]. + +The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING +operation has one error path that doesn't release the session management +semaphore. Further attempts to get the semaphore will then sleep for ever in +the D state. + +This can happen in four situations, all involving an attempt to allocate a new +session keyring: + + (1) ENOMEM. + + (2) The users key quota being reached. + + (3) A keyring name that is an empty string. + + (4) A keyring name that is too long. + +Any user may attempt this operation, and so any user can cause the problem to +occur. + +Signed-Off-By: David Howells +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +I:100644 100644 9b0369c5a223acbf951178e87ebbb0789458b507 c089f78fb94ec170dbd042f08a4a61b9915c526e M security/keys/process_keys.c + +Key: +S: Skipped +I: Included Included verbatim +D: Deleted Manually deleted by subsequent user edit +R: Revised Manually revised by subsequent user edit + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -678,7 +678,7 @@ long join_session_keyring(const char *na + keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL); + if (IS_ERR(keyring)) { + ret = PTR_ERR(keyring); +- goto error; ++ goto error2; + } + } + else if (IS_ERR(keyring)) { diff --git a/debian/patches-debian/series/2.6.12-3 b/debian/patches-debian/series/2.6.12-3 new file mode 100644 index 000000000..85966b128 --- /dev/null +++ b/debian/patches-debian/series/2.6.12-3 @@ -0,0 +1,2 @@ ++ security-keys-destructor-oops.patch ++ security-keys-session-join.patch