Linux Kernel Fix: Security Keys Slab Out-of-Bounds Vulnerability
A vulnerability in the Linux kernel was fixed. It was in the security/keys section and involved out-of-bounds reading. This problem was found by KASAN. The bug appeared in key_task_permission. It involved reading four bytes of data in a specific task. The issue could be repeated by getting more than 32 inputs with similar hash patterns ending in '0xxxxxxxe6', rebooting, and adding those keys.
The problem happened in a tree structure. When looking through the nodes, if the slot in a node was a meta pointer and the node was connected to the root, it would move to another node. If it was the root and a slot pointed to a shortcut, it became a keyring. A function checked if the pointer was a keyring, but there was a confusion because of the matching values (KEYRING_PTR_SUBTYPE and ASSOC_ARRAY_PTR_SUBTYPE_MASK). With 32 similar keys, a node split incorrectly, leading to a tree structure where a slot pointed to a shortcut. This caused the out-of-bounds read.
To fix it, the process should always enter descend_to_node if the pointer is a shortcut, even at the root.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
linux linux |
||
linux linux kernel |
||
linux linux kernel 6.12 |
Vulmon