From d587946ff0b350a0f9f98e75b6d3941527923ab3 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 19 Oct 2015 11:20:28 +0100 Subject: [PATCH] KEYS: Don't permit request_key() to construct a new keyring If request_key() is used to find a keyring, only do the search part - don't do the construction part if the keyring was not found by the search. We don't really want keyrings in the negative instantiated state since the rejected/negative instantiation error value in the payload is unioned with keyring metadata. Now the kernel gives an error: request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) Signed-off-by: David Howells CVE-2015-7872 Signed-off-by: Kevin F. Haggerty Change-Id: I3603fec8fab929d7636d7223901f16dc8d8026cc --- security/keys/request_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 52af4ffdead2..fc5bab9bf5e6 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -481,6 +481,9 @@ static struct key *construct_key_and_link(struct key_type *type, kenter(""); + if (type == &key_type_keyring) + return ERR_PTR(-EPERM); + ret = construct_get_dest_keyring(&dest_keyring); if (ret) goto error;