[meta-freescale] [meta-fsl-ppc krogoth][PATCH] kernel: CVE-2015-8539 local privesc in key mgm

Sona Sarmadi sona.sarmadi at enea.com
Thu Nov 24 01:47:00 PST 2016 

Fixes a flaw in the Linux kernels key management code.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8539

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=15216848e8c78335945cc19a4098bdd204baa99c

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 recipes-kernel/linux/files/CVE-2015-8539.patch | 132 +++++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb       |   1 +
 2 files changed, 133 insertions(+)
 create mode 100644 recipes-kernel/linux/files/CVE-2015-8539.patch

diff --git a/recipes-kernel/linux/files/CVE-2015-8539.patch b/recipes-kernel/linux/files/CVE-2015-8539.patch
new file mode 100644
index 0000000..e6d99b9
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2015-8539.patch
@@ -0,0 +1,132 @@
+From 15216848e8c78335945cc19a4098bdd204baa99c Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 24 Nov 2015 21:36:31 +0000
+Subject: KEYS: Fix handling of stored error in a negatively instantiated user
+ key
+
+commit 096fe9eaea40a17e125569f9e657e34cdb6d73bd upstream.
+
+If a user key gets negatively instantiated, an error code is cached in the
+payload area.  A negatively instantiated key may be then be positively
+instantiated by updating it with valid data.  However, the ->update key
+type method must be aware that the error code may be there.
+
+The following may be used to trigger the bug in the user key type:
+
+    keyctl request2 user user "" @u
+    keyctl add user user "a" @u
+
+which manifests itself as:
+
+	BUG: unable to handle kernel paging request at 00000000ffffff8a
+	IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
+	PGD 7cc30067 PUD 0
+	Oops: 0002 [#1] SMP
+	Modules linked in:
+	CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
+	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+	task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
+	RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
+	 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
+	RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
+	RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
+	RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
+	RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
+	R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
+	R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
+	FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
+	CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+	CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
+	Stack:
+	 ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
+	 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
+	 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
+	Call Trace:
+	 [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
+	 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
+	 [<     inline     >] __key_update security/keys/key.c:730
+	 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
+	 [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
+	 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
+	 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
+
+Note the error code (-ENOKEY) in EDX.
+
+A similar bug can be tripped by:
+
+    keyctl request2 trusted user "" @u
+    keyctl add trusted user "a" @u
+
+This should also affect encrypted keys - but that has to be correctly
+parameterised or it will fail with EINVAL before getting to the bit that
+will crashes.
+
+CVE: CVE-2015-8539
+Upstream-Status: Backport
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ security/keys/encrypted-keys/encrypted.c | 2 ++
+ security/keys/trusted.c                  | 5 ++++-
+ security/keys/user_defined.c             | 5 ++++-
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
+index c4c8df4..45d5c59 100644
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
+ 	size_t datalen = prep->datalen;
+ 	int ret = 0;
+ 
++	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++		return -ENOKEY;
+ 	if (datalen <= 0 || datalen > 32767 || !prep->data)
+ 		return -EINVAL;
+ 
+diff --git a/security/keys/trusted.c b/security/keys/trusted.c
+index e13fcf7..d72ff37 100644
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -984,13 +984,16 @@ static void trusted_rcu_free(struct rcu_head *rcu)
+  */
+ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
+ {
+-	struct trusted_key_payload *p = key->payload.data;
++	struct trusted_key_payload *p;
+ 	struct trusted_key_payload *new_p;
+ 	struct trusted_key_options *new_o;
+ 	size_t datalen = prep->datalen;
+ 	char *datablob;
+ 	int ret = 0;
+ 
++	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++		return -ENOKEY;
++	p = key->payload.data;
+ 	if (!p->migratable)
+ 		return -EPERM;
+ 	if (datalen <= 0 || datalen > 32767 || !prep->data)
+diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
+index 55dc889..637f43d 100644
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -119,7 +119,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
+ 
+ 	if (ret == 0) {
+ 		/* attach the new data, displacing the old */
+-		zap = key->payload.data;
++		if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++			zap = key->payload.data;
++		else
++			zap = NULL;
+ 		rcu_assign_keypointer(key, upayload);
+ 		key->expiry = 0;
+ 	}
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 889c564..9cfdfa6 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -5,5 +5,6 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \
     file://net-sctp-CVE-2014-0101.patch \
     file://0001-powerpc-Align-TOC-to-256-bytes.patch \
     file://Trusty-SRU-ipc-fix-compat-msgrcv-with-negative-msgtyp.patch \
+    file://CVE-2015-8539.patch \
 "
 SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813"
-- 
1.9.1

More information about the meta-freescale mailing list