Commit c3a9d654 authored by David Howells's avatar David Howells Committed by Linus Torvalds

[Security] Keys: Fix oops when adding key to non-keyring

This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].

The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.

I've fixed this problem by:

 (1) declaring that caller of __keyring_search_one() must guarantee that
     the keyring is a keyring; and

 (2) making key_create_or_update() check that the keyring is a keyring,
     and return -ENOTDIR if it isn't.

This can be tested by:

	keyctl add user b b `keyctl add user a a @s`
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 460fbf82
...@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, ...@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
key_check(keyring); key_check(keyring);
key_ref = ERR_PTR(-ENOTDIR);
if (keyring->type != &key_type_keyring)
goto error_2;
down_write(&keyring->sem); down_write(&keyring->sem);
/* if we're going to allocate a new key, we're going to have /* if we're going to allocate a new key, we're going to have
......
...@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); ...@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
/* /*
* search the given keyring only (no recursion) * search the given keyring only (no recursion)
* - keyring must be locked by caller * - keyring must be locked by caller
* - caller must guarantee that the keyring is a keyring
*/ */
key_ref_t __keyring_search_one(key_ref_t keyring_ref, key_ref_t __keyring_search_one(key_ref_t keyring_ref,
const struct key_type *ktype, const struct key_type *ktype,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment