100506 – (CVE-2005-2098) VUL-0: CVE-2005-2098: kernel: Error during attempt to join key management session can leave semaphore pinned

Bug 100506 (CVE-2005-2098) - VUL-0: CVE-2005-2098: kernel: Error during attempt to join key management session can leave semaphore pinned

Summary: VUL-0: CVE-2005-2098: kernel: Error during attempt to join key management ses...

Status:	RESOLVED INVALID

Alias:	CVE-2005-2098

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other All

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Hubert Mantel
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-2098: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-08-03 13:51 UTC by Ludwig Nussel
Modified:	2021-11-03 15:49 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
mail as attachment (1.86 KB, patch) 2005-08-03 13:53 UTC, Ludwig Nussel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2005-08-03 13:51:30 UTC

We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Wed, 3 Aug 2005 14:01:31 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] [Security] CAN-2005-2098 Error during attempt to join key management
 session can leave semaphore pinned (fwd)

---------- Forwarded message ----------
Date: Wed, 03 Aug 2005 13:19:03 +0100
From: David Howells <dhowells@redhat.com>
To: security@kernel.org
Subject: [Security] CAN-2005-2098 Error during attempt to join key management
    session can leave semaphore pinned

The attached patch prevents an error during the key session joining operation
from hanging future joins in the D state [CAN-2005-2098].

The problem is that the error handling path for the 
KEYCTL_JOIN_SESSION_KEYRING
operation has one error path that doesn't release the session management
semaphore. Further attempts to get the semaphore will then sleep for ever in
the D state.

This can happen in four situations, all involving an attempt to allocate a 
new
session keyring:

 (1) ENOMEM.

 (2) The users key quota being reached.

 (3) A keyring name that is an empty string.

 (4) A keyring name that is too long.

Any user may attempt this operation, and so any user can cause the problem to
occur.

Signed-Off-By: David Howells <dhowells@redhat.com>
---
warthog>diffstat -p1 /tmp/linux-2.6.13-key-session-error.patch
 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.9/security/keys/process_keys.c.orig	2005-08-02 
21:37:05.000000000 +0100
+++ linux-2.6.9/security/keys/process_keys.c	2005-08-02 
21:37:07.000000000 +0100
@@ -678,7 +678,7 @@ long join_session_keyring(const char *na
 		keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
 		if (IS_ERR(keyring)) {
 			ret = PTR_ERR(keyring);
-			goto error;
+			goto error2;
 		}
 	}
 	else if (IS_ERR(keyring)) {

_______________________________________________
Security mailing list
Security@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/security
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

Comment 1 Ludwig Nussel 2005-08-03 13:53:58 UTC

Created attachment 44641 [details]
mail as attachment

Comment 2 Marcus Meissner 2005-08-15 14:32:06 UTC

was introduced in 2.6.12 rc phase.

Comment 3 Marcus Meissner 2005-08-18 12:31:28 UTC

open for others to find

Comment 4 Thomas Biege 2009-10-13 20:33:04 UTC

CVE-2005-2098: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)