Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753996AbbK3NMM (ORCPT <rfc822;w@1wt.eu>);
	Mon, 30 Nov 2015 08:12:12 -0500
Received: from mail-vk0-f52.google.com ([209.85.213.52]:35511 "EHLO
	mail-vk0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753894AbbK3NMJ (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 30 Nov 2015 08:12:09 -0500
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.20.1511251403530.21819@namei.org>
References: <alpine.LRH.2.20.1511251403530.21819@namei.org>
Date: Mon, 30 Nov 2015 08:12:08 -0500
X-Google-Sender-Auth: qiboXHw4sOVp4HDwiKN71UZD9tU
Message-ID: <CA+5PVA5HxtQMjR4LQ-D5fMbZQWGm9FMbe_e9e_BFCoYigqpQxQ@mail.gmail.com>
Subject: Re: [GIT PULL] security: KEYS: Fix handling of stored error in a
 negatively instantiated user key
From: Josh Boyer <jwboyer@fedoraproject.org>
To: James Morris <jmorris@namei.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4666
Lines: 96

On Wed, Nov 25, 2015 at 6:41 PM, James Morris <jmorris@namei.org> wrote:
> Please pull this fix for the keys subsystem, for 4.4, from David Howells.
>
> Note: this oops is triggerable by non-privileged users.
>
> The following changes since commit 6ffeba9607343f15303a399bc402a538800d89d9:
>
>   Merge tag 'dm-4.4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm (2015-11-24 12:53:11 -0800)
>
> are available in the git repository at:
>
>   git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus
>
> David Howells (1):
>       KEYS: Fix handling of stored error in a negatively instantiated user key
>
>  security/keys/encrypted-keys/encrypted.c |    2 ++
>  security/keys/trusted.c                  |    5 ++++-
>  security/keys/user_defined.c             |    5 ++++-
>  3 files changed, 10 insertions(+), 2 deletions(-)
>
> ---
> commit 096fe9eaea40a17e125569f9e657e34cdb6d73bd
> Author: David Howells <dhowells@redhat.com>
> Date:   Tue Nov 24 21:36:31 2015 +0000
>
>     KEYS: Fix handling of stored error in a negatively instantiated user key
>
>     If a user key gets negatively instantiated, an error code is cached in the
>     payload area.  A negatively instantiated key may be then be positively
>     instantiated by updating it with valid data.  However, the ->update key
>     type method must be aware that the error code may be there.
>
>     The following may be used to trigger the bug in the user key type:
>
>         keyctl request2 user user "" @u
>         keyctl add user user "a" @u
>
>     which manifests itself as:
>
>         BUG: unable to handle kernel paging request at 00000000ffffff8a
>         IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
>         PGD 7cc30067 PUD 0
>         Oops: 0002 [#1] SMP
>         Modules linked in:
>         CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
>         Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>         task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
>         RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
>          [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
>         RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
>         RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
>         RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
>         RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
>         R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
>         R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
>         FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
>         CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>         CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
>         Stack:
>          ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
>          ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
>          ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
>         Call Trace:
>          [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
>          [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
>          [<     inline     >] __key_update security/keys/key.c:730
>          [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
>          [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
>          [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
>          [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
>
>     Note the error code (-ENOKEY) in EDX.
>
>     A similar bug can be tripped by:
>
>         keyctl request2 trusted user "" @u
>         keyctl add trusted user "a" @u
>
>     This should also affect encrypted keys - but that has to be correctly
>     parameterised or it will fail with EINVAL before getting to the bit that
>     will crashes.
>
>     Reported-by: Dmitry Vyukov <dvyukov@google.com>
>     Signed-off-by: David Howells <dhowells@redhat.com>
>     Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>     Signed-off-by: James Morris <james.l.morris@oracle.com>

This should probably be sent to stable, yes?

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/