Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2016-07-15 16:30:08 +0200
committerJiri Kosina <jkosina@suse.cz>2016-07-15 16:30:08 +0200
commit1a67172305f1a47040c6262cd15d547351a48db0 (patch)
tree9461ada7d4d6b81d69dc8d0d085b69c4de96dae8
parent7f67c69d79117e4b87add3e059ce4e4df320c9a6 (diff)
parent8c86751f7335cb9df1e09467e510a7fe69557874 (diff)
Merge remote-tracking branch 'origin/cve/linux-3.0' into SLE11-SP4
-rw-r--r--patches.fixes/0001-KEYS-potential-uninitialized-variable.patch91
-rw-r--r--patches.fixes/hid-hiddev-validate-num_values.patch45
-rw-r--r--series.conf8
3 files changed, 144 insertions, 0 deletions
diff --git a/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch b/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch
new file mode 100644
index 0000000000..7c0fc8dc96
--- /dev/null
+++ b/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch
@@ -0,0 +1,91 @@
+From 38327424b40bcebe2de92d07312c89360ac9229a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 Jun 2016 15:48:57 +0100
+Subject: [PATCH] KEYS: potential uninitialized variable
+
+Git-commit: 38327424b40bcebe2de92d07312c89360ac9229a
+Patch-mainline: v4.7-rc4
+References: bsc#984755, CVE-2016-4470
+
+If __key_link_begin() failed then "edit" would be uninitialized. I've
+added a check to fix that.
+
+This allows a random user to crash the kernel, though it's quite
+difficult to achieve. There are three ways it can be done as the user
+would have to cause an error to occur in __key_link():
+
+ (1) Cause the kernel to run out of memory. In practice, this is difficult
+ to achieve without ENOMEM cropping up elsewhere and aborting the
+ attempt.
+
+ (2) Revoke the destination keyring between the keyring ID being looked up
+ and it being tested for revocation. In practice, this is difficult to
+ time correctly because the KEYCTL_REJECT function can only be used
+ from the request-key upcall process. Further, users can only make use
+ of what's in /sbin/request-key.conf, though this does including a
+ rejection debugging test - which means that the destination keyring
+ has to be the caller's session keyring in practice.
+
+ (3) Have just enough key quota available to create a key, a new session
+ keyring for the upcall and a link in the session keyring, but not then
+ sufficient quota to create a link in the nominated destination keyring
+ so that it fails with EDQUOT.
+
+The bug can be triggered using option (3) above using something like the
+following:
+
+ echo 80 >/proc/sys/kernel/keys/root_maxbytes
+ keyctl request2 user debug:fred negate @t
+
+The above sets the quota to something much lower (80) to make the bug
+easier to trigger, but this is dependent on the system. Note also that
+the name of the keyring created contains a random number that may be
+between 1 and 10 characters in size, so may throw the test off by
+changing the amount of quota used.
+
+Assuming the failure occurs, something like the following will be seen:
+
+ kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
+ ------------[ cut here ]------------
+ kernel BUG at ../mm/slab.c:2821!
+ ...
+ RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
+ RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
+ RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
+ RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
+ RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
+ R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
+ R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
+ ...
+ Call Trace:
+ kfree+0xde/0x1bc
+ assoc_array_cancel_edit+0x1f/0x36
+ __key_link_end+0x55/0x63
+ key_reject_and_link+0x124/0x155
+ keyctl_reject_key+0xb6/0xe0
+ keyctl_negate_key+0x10/0x12
+ SyS_keyctl+0x9f/0xe7
+ do_syscall_64+0x63/0x13a
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Lee, Chun-Yi <jlee@suse.com>
+---
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -580,7 +580,7 @@ int key_reject_and_link(struct key *key,
+
+ mutex_unlock(&key_construction_mutex);
+
+- if (keyring)
++ if (keyring && link_ret == 0)
+ __key_link_end(keyring, key->type, prealloc);
+
+ /* wake up anyone waiting for a key to be constructed */
diff --git a/patches.fixes/hid-hiddev-validate-num_values.patch b/patches.fixes/hid-hiddev-validate-num_values.patch
new file mode 100644
index 0000000000..555fdf98c8
--- /dev/null
+++ b/patches.fixes/hid-hiddev-validate-num_values.patch
@@ -0,0 +1,45 @@
+From: Scott Bauer <sbauer@plzdonthack.me>
+Date: Thu, 23 Jun 2016 08:59:47 -0600
+Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
+Git-commit: 93a2001bdfd5376c3dc2158653034c20392d15c5
+Patch-mainline: v4.7-rc5
+References: bsc#986572 CVE-2016-5829
+
+This patch validates the num_values parameter from userland during the
+HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+leading to a heap overflow.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
+index 2f1ddca..700145b 100644
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
+ goto inval;
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+-
+- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+- uref->usage_index + uref_multi->num_values > field->report_count))
+- goto inval;
+ }
+
++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
++ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
++ uref->usage_index + uref_multi->num_values > field->report_count))
++ goto inval;
++
+ switch (cmd) {
+ case HIDIOCGUSAGE:
+ uref->value = field->value[uref->usage_index];
+--
+cgit v0.12
+
diff --git a/series.conf b/series.conf
index 2ae667550a..27f5e8edad 100644
--- a/series.conf
+++ b/series.conf
@@ -2236,6 +2236,12 @@
patches.arch/intel_idle-fine-tune-IVT-residency-targets
########################################################
+ # Input & Console
+ ########################################################
+
+ patches.fixes/hid-hiddev-validate-num_values.patch
+
+ ########################################################
# Suse specific stuff
########################################################
patches.suse/panic-on-io-nmi-SLE11-user-space-api.patch
@@ -21102,6 +21108,8 @@
patches.suse/0001-KEYS-Fix-race-between-read-and-revoke.patch
# bnc#970909, CVE-2016-3139
patches.suse/0001-wacom-fix-crash-due-to-missing-endpoint.patch
+ # bsc#984755, CVE-2016-4470
+ patches.fixes/0001-KEYS-potential-uninitialized-variable.patch
##########################################################
# AppArmor