Author: dannf Date: Fri Mar 16 23:17:54 2007 New Revision: 8368 Added: dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch dists/etch-security/linux-2.6/debian/patches/series/11etch1 Modified: dists/etch-security/linux-2.6/debian/changelog Log: * keys-serial-num-collision.patch [SECURITY] Fix the key serial number collision avoidance code in key_alloc_serial() that could lead to a local DoS (oops). (closes: #398470) See CVE-2007-0006
Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Fri Mar 16 23:17:54 2007 @@ -1,3 +1,13 @@ +linux-2.6 (2.6.18.dfsg.1-11etch1) UNRELEASED; urgency=high + + * keys-serial-num-collision.patch + [SECURITY] Fix the key serial number collision avoidance code in + key_alloc_serial() that could lead to a local DoS (oops). + (closes: #398470) + See CVE-2007-0006 + + -- dann frazier <[EMAIL PROTECTED]> Fri, 16 Mar 2007 17:15:06 -0600 + linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low [ Jurij Smakov ] Added: dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/keys-serial-num-collision.patch Fri Mar 16 23:17:54 2007 @@ -0,0 +1,92 @@ +From: David Howells <[EMAIL PROTECTED]> +Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000) +Subject: [PATCH] Keys: Fix key serial number collision handling +X-Git-Tag: v2.6.21-rc2~42^2~22 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4 + +[PATCH] Keys: Fix key serial number collision handling + +Fix the key serial number collision avoidance code in key_alloc_serial(). + +This didn't use to be so much of a problem as the key serial numbers were +allocated from a simple incremental counter, and it would have to go through +two billion keys before it could possibly encounter a collision. However, now +that random numbers are used instead, collisions are much more likely. + +This is fixed by finding a hole in the rbtree where the next unused serial +number ought to be and using that by going almost back to the top of the +insertion routine and redoing the insertion with the new serial number rather +than trying to be clever and attempting to work out the insertion point +pointer directly. + +This fixes kernel BZ #7727. + +Signed-off-by: David Howells <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +diff --git a/security/keys/key.c b/security/keys/key.c +index ac9326c..700400d 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key) + + spin_lock(&key_serial_lock); + ++attempt_insertion: + parent = NULL; + p = &key_serial_tree.rb_node; + +@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key) + else + goto serial_exists; + } +- goto insert_here; ++ ++ /* we've found a suitable hole - arrange for this key to occupy it */ ++ rb_link_node(&key->serial_node, parent, p); ++ rb_insert_color(&key->serial_node, &key_serial_tree); ++ ++ spin_unlock(&key_serial_lock); ++ return; + + /* we found a key with the proposed serial number - walk the tree from + * that point looking for the next unused serial number */ + serial_exists: + for (;;) { + key->serial++; +- if (key->serial < 2) +- key->serial = 2; +- +- if (!rb_parent(parent)) +- p = &key_serial_tree.rb_node; +- else if (rb_parent(parent)->rb_left == parent) +- p = &(rb_parent(parent)->rb_left); +- else +- p = &(rb_parent(parent)->rb_right); ++ if (key->serial < 3) { ++ key->serial = 3; ++ goto attempt_insertion; ++ } + + parent = rb_next(parent); + if (!parent) +- break; ++ goto attempt_insertion; + + xkey = rb_entry(parent, struct key, serial_node); + if (key->serial < xkey->serial) +- goto insert_here; ++ goto attempt_insertion; + } + +- /* we've found a suitable hole - arrange for this key to occupy it */ +-insert_here: +- rb_link_node(&key->serial_node, parent, p); +- rb_insert_color(&key->serial_node, &key_serial_tree); +- +- spin_unlock(&key_serial_lock); +- + } /* end key_alloc_serial() */ + + /*****************************************************************************/ Added: dists/etch-security/linux-2.6/debian/patches/series/11etch1 ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/series/11etch1 Fri Mar 16 23:17:54 2007 @@ -0,0 +1 @@ ++ bugfix/keys-serial-num-collision.patch _______________________________________________ Kernel-svn-changes mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
