Author: lcapitulino Date: Tue Feb 13 14:10:29 2007 New Revision: 120388 Added: packages/updates/2007.0/kernel-2.6/current/PATCHES/patches/ZZ12_CVE-2007-0006_key_serial_number_collision_fix.patch Modified: packages/updates/2007.0/kernel-2.6/current/SPECS/kernel-2.6.spec
Log: Fix for CVE-2007-0006 Added: packages/updates/2007.0/kernel-2.6/current/PATCHES/patches/ZZ12_CVE-2007-0006_key_serial_number_collision_fix.patch ============================================================================== --- (empty file) +++ packages/updates/2007.0/kernel-2.6/current/PATCHES/patches/ZZ12_CVE-2007-0006_key_serial_number_collision_fix.patch Tue Feb 13 14:10:29 2007 @@ -0,0 +1,100 @@ +Patch from: + +https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227495 + +Bellow is the official upstream version's changelog. + +Signed-off-by: Luiz Fernando N. Capitulino <[EMAIL PROTECTED]> + +commit 9ad0830f307bcd8dc285cfae58998d43b21727f4 +Author: David Howells <[EMAIL PROTECTED]> +Date: Tue Feb 6 13:45:51 2007 +0000 + + [PATCH] Keys: Fix key serial number collision handling + + Fix the key serial number collision avoidance code in key_alloc_serial(). + + This didn't use to be so much of a problem as the key serial numbers were + allocated from a simple incremental counter, and it would have to go through + two billion keys before it could possibly encounter a collision. However, now + that random numbers are used instead, collisions are much more likely. + + This is fixed by finding a hole in the rbtree where the next unused serial + number ought to be and using that by going almost back to the top of the + insertion routine and redoing the insertion with the new serial number rather + than trying to be clever and attempting to work out the insertion point + pointer directly. + + This fixes kernel BZ #7727. + + Signed-off-by: David Howells <[EMAIL PROTECTED]> + Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> + +--- + security/keys/key.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +--- linux-2.6.17.orig/security/keys/key.c ++++ linux-2.6.17/security/keys/key.c +@@ -186,6 +186,7 @@ static inline void key_alloc_serial(stru + key->serial = 3; + key_serial_next = key->serial + 1; + ++attempt_insertion: + parent = NULL; + p = &key_serial_tree.rb_node; + +@@ -200,40 +201,34 @@ static inline void key_alloc_serial(stru + else + goto serial_exists; + } +- goto insert_here; ++ ++ /* we've found a suitable hole - arrange for this key to occupy it */ ++ rb_link_node(&key->serial_node, parent, p); ++ rb_insert_color(&key->serial_node, &key_serial_tree); ++ ++ spin_unlock(&key_serial_lock); ++ return; + + /* we found a key with the proposed serial number - walk the tree from + * that point looking for the next unused serial number */ + serial_exists: + for (;;) { + key->serial = key_serial_next; +- if (key->serial < 2) +- key->serial = 2; ++ if (key->serial < 3) ++ key->serial = 3; + key_serial_next = key->serial + 1; +- +- if (!parent->rb_parent) +- p = &key_serial_tree.rb_node; +- else if (parent->rb_parent->rb_left == parent) +- p = &parent->rb_parent->rb_left; +- else +- p = &parent->rb_parent->rb_right; ++ if (key->serial == 3) ++ goto attempt_insertion; + + parent = rb_next(parent); + if (!parent) +- break; ++ goto attempt_insertion; + + xkey = rb_entry(parent, struct key, serial_node); + if (key->serial < xkey->serial) +- goto insert_here; ++ goto attempt_insertion; + } + +- /* we've found a suitable hole - arrange for this key to occupy it */ +- insert_here: +- rb_link_node(&key->serial_node, parent, p); +- rb_insert_color(&key->serial_node, &key_serial_tree); +- +- spin_unlock(&key_serial_lock); +- + } /* end key_alloc_serial() */ + + /*****************************************************************************/ Modified: packages/updates/2007.0/kernel-2.6/current/SPECS/kernel-2.6.spec ============================================================================== --- packages/updates/2007.0/kernel-2.6/current/SPECS/kernel-2.6.spec (original) +++ packages/updates/2007.0/kernel-2.6/current/SPECS/kernel-2.6.spec Tue Feb 13 14:10:29 2007 @@ -1047,6 +1047,8 @@ (thanks to Hugh Dickins <[EMAIL PROTECTED]>) - PowerPC: Make current preempt-safe (thanks to Hugh Dickins <[EMAIL PROTECTED]>) + - Security fixes: + * ZZ12_CVE-2007-0006_key_serial_number_collision_fix.patch (#28636) * Fri Feb 02 2007 Luiz Capitulino <[EMAIL PROTECTED]> 2.6.17-10mdv2007.0 o Gwenole Beauchesne <[EMAIL PROTECTED]>
