linux kernel 2.6.39 cred->user_ns in key_replace_session_keyring

2011-09-12 / 2011-09-13
Credit: Robert Swiecki
Risk: High
Local: Yes
Remote: No
CVE: CVE-2011-2184
CWE: CWE-Other


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Fooi, it looks like all users of cred_alloc_blank() may need to be audited wrt commit 47a150edc2ae734c0f4bf50aa19499e23b9a46f8. Does this fix the bug you're seeing? From: Serge E. Hallyn <serge.hallyn@canonical.com> Date: Wed, 25 May 2011 15:41:23 +0100 Subject: [PATCH 1/1] Set cred->user_ns in key_replace_session_keyring Since this cred was not created with copy_creds(), it needs to get initialized. Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com> --- security/keys/process_keys.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 6c0480d..92a3a5d 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -847,6 +847,7 @@ void key_replace_session_keyring(void) new-> sgid = old-> sgid; new->fsgid = old->fsgid; new->user = get_uid(old->user); + new->user_ns = new->user->user_ns; new->group_info = get_group_info(old->group_info); new->securebits = old->securebits; -- 1.7.0.4

References:

https://lkml.org/lkml/2011/5/25/265
http://www.openwall.com/lists/oss-security/2011/06/06/2
http://www.openwall.com/lists/oss-security/2011/06/03/2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f7285b5d631fd6096b11c6af0058ed3a2b30ef4e
https://lkml.org/lkml/2011/5/24/502
https://lkml.org/lkml/2011/5/23/199
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39.1
http://alt.swiecki.net/linux_kernel/sys_open-kmem_cache_alloc-2.6.39-rc4.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top