Bug 100507 (CVE-2005-2099) - VUL-0: CVE-2005-2099: kernel: Destruction of failed keyring oopses
Summary: VUL-0: CVE-2005-2099: kernel: Destruction of failed keyring oopses
Status: RESOLVED INVALID
Alias: CVE-2005-2099
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Normal
Target Milestone: ---
Assignee: Hubert Mantel
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-2099: CVSS v2 Base Score: 5....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-03 13:52 UTC by Ludwig Nussel
Modified: 2021-11-10 13:35 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
mail as attachment (2.02 KB, patch)
2005-08-03 13:54 UTC, Ludwig Nussel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-08-03 13:52:20 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Wed, 3 Aug 2005 14:01:39 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] [Security] CAN-2005-2099 Destruction of failed keyring oopses (fwd)

---------- Forwarded message ----------
Date: Wed, 03 Aug 2005 13:19:07 +0100
From: David Howells <dhowells@redhat.com>
To: security@kernel.org
Subject: [Security] CAN-2005-2099 Destruction of failed keyring oopses


The attached patch makes sure that a keyring that failed to instantiate
properly is destroyed without oopsing [CAN-2005-2099].

The problem occurs in three stages:

 (1) The key allocator initialises the type-specific data to all zeroes. In
     the case of a keyring, this will become a link in the keyring name list
     when the keyring is instantiated.

 (2) If a user (any user) attempts to add a keyring with anything other than
     an empty payload, the keyring instantiation function will fail with an
     error and won't add the keyring to the name list.

 (3) The keyring's destructor then sees that the keyring has a description
     (name) and tries to remove the keyring from the name list, which oopses
     because the link pointers are both zero.

This bug permits any user to take down a box trivially.

Signed-Off-By: David Howells <dhowells@redhat.com>
---
warthog>diffstat -p1 /tmp/linux-2.6.13-key-keyring-destroy.patch
 security/keys/keyring.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletion(-)

--- linux-2.6.9/security/keys/keyring.c.orig	2005-07-28 
16:32:16.445246716 +0100
+++ linux-2.6.9/security/keys/keyring.c	2005-07-28 16:32:56.000000000 +0100
@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *

 	if (keyring->description) {
 		write_lock(&keyring_name_lock);
-		list_del(&keyring->type_data.link);
+
+		if (keyring->type_data.link.next != NULL &&
+		    !list_empty(&keyring->type_data.link))
+			list_del(&keyring->type_data.link);
+
 		write_unlock(&keyring_name_lock);
 	}


_______________________________________________
Security mailing list
Security@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/security
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Ludwig Nussel 2005-08-03 13:54:35 UTC 
Created attachment 44642 [details]
mail as attachment
Comment 2 Marcus Meissner 2005-08-15 14:32:33 UTC 
also in stable only
Comment 3 Marcus Meissner 2005-08-18 12:31:48 UTC 
open for others to find
Comment 4 Thomas Biege 2009-10-13 20:54:34 UTC 
CVE-2005-2099: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)