Pandora Sourcecodes - pandora-kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Tue, 18 Apr 2017 14:31:09 +0000 (15:31 +0100)
committer	Ben Hutchings <ben@decadent.org.uk>
	Mon, 5 Jun 2017 20:13:54 +0000 (21:13 +0100)
commit	0ebd7208190d2f7b16fee3cea05665e212cebaab
tree	326aface5bbe93a7b8f41fb017d0f12d5ed01a68	tree \| snapshot
parent	96053b293c69c636d8d34fc569ac81fbf1118658	commit \| diff

KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings

commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.

This fixes CVE-2017-7472.

Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:

#include <keyutils.h>

int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}

Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.

Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

security/keys/keyctl.c		diff \| blob \| history
security/keys/process_keys.c		diff \| blob \| history