diff options
| author | Eric Biggers <ebiggers@google.com> | 2017-04-18 15:31:09 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-06-05 21:17:21 +0100 |
| commit | f7ce1014bc5e4bb42d6b9f5afb308f59534067ea (patch) | |
| tree | 4c1bebfca3ef00594b2a46bd72bc6ec16300c2ed /kernel | |
| parent | 7bb3f26487e578c2cb0567196ce93c008967a269 (diff) | |
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.
This fixes CVE-2017-7472.
Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions