[v3.0] kernel: kernel keyring that can be used to cause a local denial of service (CVE-2015-1333)
While improving the system call coverage in stress-ng[1], a bug was discovered in the Linux kernel keyring that can be used to cause a local denial of service due to memory exhaustion when the same key is repeatedly added to the kernel keyring via the add_key() syscall.
__key_link_end is not freeing the associated array edit structure and this leads to a 512 byte memory leak each time an identical existing key is added with add_key().
The reason the add_key() system call returns okay is that key_create_or_update() calls _key_link_begin() before checking to see whether it can update a key directly rather than adding/replacing - which it turns out it can. Thuskey_link() is not called throughkey_instantiate_and_link() and_key_link_end() must cancel the edit.
The following commit introduced the issue:
commit 034faeb9ef390d58239e1dce748143f6b35a0d9b
Date: Wed Oct 30 11:15:24 2013 +0000
KEYS: Fix keyring quota misaccounting on key replacement and unlink
Which means that v3.13 and newer kernels are affected:
$ git describe —contains 034faeb9ef390d58239e1dce748143f6b35a0d9b
v3.13-rc118^26^2~2
upstream commit:
ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0
linux-3.14:
c9cd9b18dac801040ada16562dc579d5ac366d75
linux-3.18:
66db51c9f7b2fe7ebdfa753b2aa9abbb9feddc87
Reference:
http://seclists.org/oss-sec/2015/q3/227
http://permalink.gmane.org/gmane.linux.kernel/2009941
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.49
https://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.18.20
(from redmine: issue id 4599, created on 2015-08-26, closed on 2016-03-01)
- Relations:
- parent #4598 (closed)
- Changesets:
- Revision 3a956ec6 on 2015-12-30T15:42:17Z:
main/linux-grsec: security fix CVE-2015-1333. Fixes #4599