[Security] Keys: Fix oops when adding key to non-keyring This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: c3a9d6541f84ac3ff566982d08389b87c1c36b4e [log] [tgz]
author: David Howells <dhowells@redhat.com> Mon Apr 10 15:15:21 2006 +0100
committer: Linus Torvalds <torvalds@g5.osdl.org> Mon Apr 10 09:33:46 2006 -0700
tree: 161e507b276105b35dadf0c2637be9f018b0f664
parent: 460fbf82c0842cad3f3c744c4dcb81978b7829f3 [diff] [blame]
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d65a180..bffa924 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c

@@ -437,6 +437,7 @@
 /*
  * search the given keyring only (no recursion)
  * - keyring must be locked by caller
+ * - caller must guarantee that the keyring is a keyring
  */
 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
 			       const struct key_type *ktype,
commit	c3a9d6541f84ac3ff566982d08389b87c1c36b4e	[log] [tgz]
author	David Howells <dhowells@redhat.com>	Mon Apr 10 15:15:21 2006 +0100
committer	Linus Torvalds <torvalds@g5.osdl.org>	Mon Apr 10 09:33:46 2006 -0700
tree	161e507b276105b35dadf0c2637be9f018b0f664
parent	460fbf82c0842cad3f3c744c4dcb81978b7829f3 [diff] [blame]