linux/security
David Howells 94efe72f76 [PATCH] Destruction of failed keyring oopses
The attached patch makes sure that a keyring that failed to instantiate
properly is destroyed without oopsing [CAN-2005-2099].

The problem occurs in three stages:

 (1) The key allocator initialises the type-specific data to all zeroes. In
     the case of a keyring, this will become a link in the keyring name list
     when the keyring is instantiated.

 (2) If a user (any user) attempts to add a keyring with anything other than
     an empty payload, the keyring instantiation function will fail with an
     error and won't add the keyring to the name list.

 (3) The keyring's destructor then sees that the keyring has a description
     (name) and tries to remove the keyring from the name list, which oopses
     because the link pointers are both zero.

This bug permits any user to take down a box trivially.

Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-08-04 13:11:14 -07:00
..
keys [PATCH] Destruction of failed keyring oopses 2005-08-04 13:11:14 -07:00
selinux [PATCH] selinux: Fix address length checks in connect hook 2005-07-28 21:46:05 -07:00
capability.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
commoncap.c [PATCH] setuid core dump 2005-06-23 09:45:26 -07:00
dummy.c [PATCH] setuid core dump 2005-06-23 09:45:26 -07:00
Kconfig Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
root_plug.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
seclvl.c [PATCH] sysfs: (rest) if show/store is missing return -EIO 2005-06-20 15:15:03 -07:00
security.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00