lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 30 Mar 2011 14:03:59 -0700 (PDT)
From:	Andi Kleen <andi@...stfloor.org>
To:	dhowells@...hat.com, ak@...ux.intel.com,
	linux-kernel@...r.kernel.org, stable@...nel.org,
	tim.bird@...sony.com
Subject: [PATCH] [6/275] Fix cred leak in AF_NETLINK

2.6.35-longterm review patch.  If anyone has any objections, please let me know.

------------------
Patch cab9e9848b9a8283b0504a2d7c435a9f5ba026de to the 2.6.35.y stable tree
stored a ref to the current cred struct in struct scm_cookie.  This was fine
with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
that the copied credentials leak each time SCM data is sent over a netlink
socket.

This can be triggered quite simply on a Fedora 13 or 14 userspace with the
2.6.35.11 kernel (or something based off of that) by calling:

	#!/bin/bash
	for ((i=0; i<100; i++))
	do
		su - -c /bin/true
		cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
		cat /proc/keys | wc -l
	done

This leaks the session key that pam_keyinit creates for 'su -', which appears
in /proc/keys as being revoked (has the R flag set against it) afterward su is
called.

Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
can be viewed and seen to increase.  The key slab increases by one object per
loop, and this can be seen after the system has had a couple of minutes to
stand after the script above has been run on it.

If the system is working correctly, the key and cred counts should return to
roughly what they were before.

Signed-off-by: David Howells <dhowells@...hat.com>
Signed-off-by: Andi Kleen <ak@...ux.intel.com>

---

 net/netlink/af_netlink.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Index: linux-2.6.35.y/net/netlink/af_netlink.c
===================================================================
--- linux-2.6.35.y.orig/net/netlink/af_netlink.c	2011-03-29 22:52:05.032059161 -0700
+++ linux-2.6.35.y/net/netlink/af_netlink.c	2011-03-29 23:53:42.295455441 -0700
@@ -1330,12 +1330,16 @@
 		return err;
 
 	if (msg->msg_namelen) {
-		if (addr->nl_family != AF_NETLINK)
-			return -EINVAL;
+		if (addr->nl_family != AF_NETLINK) {
+			err = -EINVAL;
+			goto out;
+		}
 		dst_pid = addr->nl_pid;
 		dst_group = ffs(addr->nl_groups);
-		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
-			return -EPERM;
+		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) {
+			err = -EPERM;
+			goto out;
+		}
 	} else {
 		dst_pid = nlk->dst_pid;
 		dst_group = nlk->dst_group;
@@ -1387,6 +1391,8 @@
 	err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
 
 out:
+	scm_destroy(siocb->scm);
+	siocb->scm = NULL;
 	return err;
 }
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ