From patchwork Sat Apr 1 23:39:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9658331 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DDF40602BC for ; Sat, 1 Apr 2017 23:39:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF6442851A for ; Sat, 1 Apr 2017 23:39:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C426A28552; Sat, 1 Apr 2017 23:39:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7CADE2851A for ; Sat, 1 Apr 2017 23:39:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751952AbdDAXj3 (ORCPT ); Sat, 1 Apr 2017 19:39:29 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:36735 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751284AbdDAXj2 (ORCPT ); Sat, 1 Apr 2017 19:39:28 -0400 Received: by mail-pf0-f195.google.com with SMTP id r137so4996807pfr.3; Sat, 01 Apr 2017 16:39:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=xUfJK0dxeXyO2fHjb8AJzQgrICVVPkAewEHd34Y5xX8=; b=ol+AP6/kgOp4aimop27d6u7Wa2BW7u0PgXEcdm22LdlvPpDOcu267YveCya1lumaDN 4ZtTUgDvRi1vmnLryETZIMkaIhaQnv8ndsyNQSGcNA3nukmXJYp+9iz1k43y54L1SwA1 Umx/CeLEdo7+n+8cs6HIoBl5E74BSniML0OBI43KETDKfWJJRDGoeFQhGKYkJVlqJ8pf flfH/p42Xfvx3OxxANIkYLDvEsmsZZBmWOxlxr9HbvjEfbuQPsSFxqz7tOLhZ0hrltn+ h7uYpOi6TxPCD+reHGAqW5ECkBI0mgBfyuweBRbFxVz9nzipfQ/QzkUieLGT7f7aDkpi RCrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=xUfJK0dxeXyO2fHjb8AJzQgrICVVPkAewEHd34Y5xX8=; b=F55AGZ/l7ZXvzdGfODo29UNlJtzNe3tpa+d0eu+rSSfu0vbJ9QGSFy2wsYh5k6jgdx eX6Q02vpJje6pxPl/pj3mZzc5KDCZPEES6GRYWkVAzgMMARJdMDZ4IrxWrQhua7uWOX3 8rToBcfs5hW9GZwyRF6aTF7E/W3n7IepgmNBe1eMVznYxmi0PRJ9FmlpGI4Yf+p8aDrr KCcEALq/7S5or04FPytdMm1TVBkZD+gOASzHrepfNBfdyje+4pLmkCJyOrjb64Iwm4HF xOssvatEZ47LHHYnJQjNa7bMilVzVdC9Ps+hq8mU8yIq0J9fdM/SP/uJHKPtoIqh2LzU tyFQ== X-Gm-Message-State: AFeK/H0POU4EvVSRQzQnU5lFIaoijp2ApGW8Nvsy3++0KUfUzhLqiuLTi5WzjuBok6FqKw== X-Received: by 10.84.202.194 with SMTP id q2mr12000835plh.108.1491089967622; Sat, 01 Apr 2017 16:39:27 -0700 (PDT) Received: from zzz.hsd1.wa.comcast.net (c-73-239-167-150.hsd1.wa.comcast.net. [73.239.167.150]) by smtp.gmail.com with ESMTPSA id b70sm17797183pfc.100.2017.04.01.16.39.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Apr 2017 16:39:27 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Date: Sat, 1 Apr 2017 16:39:08 -0700 Message-Id: <20170401233908.20786-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.12.1 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before, just as we do for process keyrings. Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers --- security/keys/keyctl.c | 13 +++++-------- security/keys/process_keys.c | 3 +++ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 52c34532c785..6f3440530835 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1253,8 +1253,8 @@ long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, * Read or set the default keyring in which request_key() will cache keys and * return the old setting. * - * If a process keyring is specified then this will be created if it doesn't - * yet exist. The old setting will be returned if successful. + * If a thread or process keyring is specified then it will be created if it + * doesn't yet exist. The old setting will be returned if successful. */ long keyctl_set_reqkey_keyring(int reqkey_defl) { @@ -1273,17 +1273,14 @@ long keyctl_set_reqkey_keyring(int reqkey_defl) switch (reqkey_defl) { case KEY_REQKEY_DEFL_THREAD_KEYRING: ret = install_thread_keyring_to_cred(new); - if (ret < 0) + if (ret < 0 && ret != -EEXIST) goto error; goto set; case KEY_REQKEY_DEFL_PROCESS_KEYRING: ret = install_process_keyring_to_cred(new); - if (ret < 0) { - if (ret != -EEXIST) - goto error; - ret = 0; - } + if (ret < 0 && ret != -EEXIST) + goto error; goto set; case KEY_REQKEY_DEFL_DEFAULT: diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index b6fdd22205b1..9e5337876e52 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -135,6 +135,9 @@ int install_thread_keyring_to_cred(struct cred *new) { struct key *keyring; + if (new->thread_keyring) + return -EEXIST; + keyring = keyring_alloc("_tid", new->uid, new->gid, new, KEY_POS_ALL | KEY_USR_VIEW, KEY_ALLOC_QUOTA_OVERRUN,