summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2017-04-18 16:31:08 +0200
committerDavid Howells <dhowells@redhat.com>2017-04-18 16:31:39 +0200
commitc1644fe041ebaf6519f6809146a77c3ead9193af (patch)
tree31ff05d7310b95fbf992b0c3cf328a5e6b0eba83 /security
parentKEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (diff)
downloadlinux-c1644fe041ebaf6519f6809146a77c3ead9193af.tar.xz
linux-c1644fe041ebaf6519f6809146a77c3ead9193af.zip
KEYS: Change the name of the dead type to ".dead" to prevent user access
This fixes CVE-2017-6951. Userspace should not be able to do things with the "dead" key type as it doesn't have some of the helper functions set upon it that the kernel needs. Attempting to use it may cause the kernel to crash. Fix this by changing the name of the type to ".dead" so that it's rejected up front on userspace syscalls by key_get_type_from_user(). Though this doesn't seem to affect recent kernels, it does affect older ones, certainly those prior to: commit c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 Author: David Howells <dhowells@redhat.com> Date: Tue Sep 16 17:36:06 2014 +0100 KEYS: Remove key_type::match in favour of overriding default by match_preparse which went in before 3.18-rc1. Signed-off-by: David Howells <dhowells@redhat.com> cc: stable@vger.kernel.org
Diffstat (limited to 'security')
-rw-r--r--security/keys/gc.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/keys/gc.c b/security/keys/gc.c
index addf060399e0..9cb4fe4478a1 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
* immediately unlinked.
*/
struct key_type key_type_dead = {
- .name = "dead",
+ .name = ".dead",
};
/*