diff options
| author | David Howells | 2006-04-10 16:15:21 +0200 |
|---|---|---|
| committer | Linus Torvalds | 2006-04-10 18:33:46 +0200 |
| commit | c3a9d6541f84ac3ff566982d08389b87c1c36b4e (patch) | |
| tree | 161e507b276105b35dadf0c2637be9f018b0f664 /security/keys/key.c | |
| parent | Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 (diff) | |
| download | kernel-qcow2-linux-c3a9d6541f84ac3ff566982d08389b87c1c36b4e.tar.gz kernel-qcow2-linux-c3a9d6541f84ac3ff566982d08389b87c1c36b4e.tar.xz kernel-qcow2-linux-c3a9d6541f84ac3ff566982d08389b87c1c36b4e.zip | |
[Security] Keys: Fix oops when adding key to non-keyring
This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].
The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.
I've fixed this problem by:
(1) declaring that caller of __keyring_search_one() must guarantee that
the keyring is a keyring; and
(2) making key_create_or_update() check that the keyring is a keyring,
and return -ENOTDIR if it isn't.
This can be tested by:
keyctl add user b b `keyctl add user a a @s`
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security/keys/key.c')
| -rw-r--r-- | security/keys/key.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index a057e3311aad..b6061fa29da7 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, key_check(keyring); + key_ref = ERR_PTR(-ENOTDIR); + if (keyring->type != &key_type_keyring) + goto error_2; + down_write(&keyring->sem); /* if we're going to allocate a new key, we're going to have |