From c3a9d6541f84ac3ff566982d08389b87c1c36b4e Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 10 Apr 2006 15:15:21 +0100 Subject: [Security] Keys: Fix oops when adding key to non-keyring This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells Signed-off-by: Linus Torvalds --- security/keys/key.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'security/keys/key.c') diff --git a/security/keys/key.c b/security/keys/key.c index a057e3311aad..b6061fa29da7 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, key_check(keyring); + key_ref = ERR_PTR(-ENOTDIR); + if (keyring->type != &key_type_keyring) + goto error_2; + down_write(&keyring->sem); /* if we're going to allocate a new key, we're going to have -- cgit v1.2.3