From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Linus Torvalds <torvalds@linux-foundation.org>,
Edward Adam Davis <eadavis@qq.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Jeffrey E Altman <jaltman@auristor.com>,
Wang Lei <wang840925@gmail.com>, Jeff Layton <jlayton@redhat.com>,
Steve French <sfrench@us.ibm.com>,
Marc Dionne <marc.dionne@auristor.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
syzbot+94bbb75204a05da3d89f@syzkaller.appspotmail.com
Subject: [PATCH 5.10 01/43] keys, dns: Fix missing size check of V1 server-list header
Date: Sat, 13 Jan 2024 10:49:40 +0100 [thread overview]
Message-ID: <20240113094206.977905274@linuxfoundation.org> (raw)
In-Reply-To: <20240113094206.930684111@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 1997b3cb4217b09e49659b634c94da47f0340409 upstream.
The dns_resolver_preparse() function has a check on the size of the
payload for the basic header of the binary-style payload, but is missing
a check for the size of the V1 server-list payload header after
determining that's what we've been given.
Fix this by getting rid of the the pointer to the basic header and just
assuming that we have a V1 server-list payload and moving the V1 server
list pointer inside the if-statement. Dealing with other types and
versions can be left for when such have been defined.
This can be tested by doing the following with KASAN enabled:
echo -n -e '\x0\x0\x1\x2' | keyctl padd dns_resolver foo @p
and produces an oops like the following:
BUG: KASAN: slab-out-of-bounds in dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
Read of size 1 at addr ffff888028894084 by task syz-executor265/5069
...
Call Trace:
dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
__key_create_or_update+0x453/0xdf0 security/keys/key.c:842
key_create_or_update+0x42/0x50 security/keys/key.c:1007
__do_sys_add_key+0x29c/0x450 security/keys/keyctl.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
This patch was originally by Edward Adam Davis, but was modified by
Linus.
Fixes: b946001d3bb1 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
Reported-and-tested-by: syzbot+94bbb75204a05da3d89f@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000009b39bc060c73e209@google.com/
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: David Howells <dhowells@redhat.com>
Cc: Edward Adam Davis <eadavis@qq.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Cc: Wang Lei <wang840925@gmail.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: Steve French <sfrench@us.ibm.com>
Cc: Marc Dionne <marc.dionne@auristor.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dns_resolver/dns_key.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -91,8 +91,6 @@ const struct cred *dns_resolver_cache;
static int
dns_resolver_preparse(struct key_preparsed_payload *prep)
{
- const struct dns_server_list_v1_header *v1;
- const struct dns_payload_header *bin;
struct user_key_payload *upayload;
unsigned long derrno;
int ret;
@@ -103,27 +101,28 @@ dns_resolver_preparse(struct key_prepars
return -EINVAL;
if (data[0] == 0) {
+ const struct dns_server_list_v1_header *v1;
+
/* It may be a server list. */
- if (datalen <= sizeof(*bin))
+ if (datalen <= sizeof(*v1))
return -EINVAL;
- bin = (const struct dns_payload_header *)data;
- kenter("[%u,%u],%u", bin->content, bin->version, datalen);
- if (bin->content != DNS_PAYLOAD_IS_SERVER_LIST) {
+ v1 = (const struct dns_server_list_v1_header *)data;
+ kenter("[%u,%u],%u", v1->hdr.content, v1->hdr.version, datalen);
+ if (v1->hdr.content != DNS_PAYLOAD_IS_SERVER_LIST) {
pr_warn_ratelimited(
"dns_resolver: Unsupported content type (%u)\n",
- bin->content);
+ v1->hdr.content);
return -EINVAL;
}
- if (bin->version != 1) {
+ if (v1->hdr.version != 1) {
pr_warn_ratelimited(
"dns_resolver: Unsupported server list version (%u)\n",
- bin->version);
+ v1->hdr.version);
return -EINVAL;
}
- v1 = (const struct dns_server_list_v1_header *)bin;
if ((v1->status != DNS_LOOKUP_GOOD &&
v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
if (prep->expiry == TIME64_MAX)
next prev parent reply other threads:[~2024-01-13 9:57 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-13 9:49 [PATCH 5.10 00/43] 5.10.208-rc1 review Greg Kroah-Hartman
2024-01-13 9:49 ` Greg Kroah-Hartman [this message]
2024-01-13 9:49 ` [PATCH 5.10 02/43] block: Dont invalidate pagecache for invalid falloc modes Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 03/43] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6 Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 04/43] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 05/43] octeontx2-af: Fix marking couple of structure as __packed Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 06/43] drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 07/43] i40e: Fix filter input checks to prevent config with invalid values Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 08/43] net: sched: em_text: fix possible memory leak in em_text_destroy() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 09/43] net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) Greg Kroah-Hartman
2024-01-13 19:25 ` Jörn-Thorben Hinz
2024-01-13 20:43 ` Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 10/43] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 11/43] sfc: fix a double-free bug in efx_probe_filters Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 12/43] net: bcmgenet: Fix FCS generation for fragmented skbuffs Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 13/43] netfilter: nftables: add loop check helper function Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 14/43] netfilter: nft_immediate: drop chain reference counter on error Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 15/43] net: Save and restore msg_namelen in sock_sendmsg Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 16/43] i40e: fix use-after-free in i40e_aqc_add_filters() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 17/43] ASoC: meson: g12a-toacodec: Validate written enum values Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 18/43] ASoC: meson: g12a-tohdmitx: " Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 19/43] ASoC: meson: g12a-toacodec: Fix event generation Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.10 20/43] ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 21/43] i40e: Restore VF MSI-X state during PCI reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 22/43] net/qla3xxx: switch from pci_ to dma_ API Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 23/43] net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 24/43] asix: Add check for usbnet_get_endpoints Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 25/43] bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 26/43] net: Implement missing SO_TIMESTAMPING_NEW cmsg support Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 27/43] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 28/43] firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 29/43] x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 30/43] i2c: core: Fix atomic xfer check for non-preempt config Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 31/43] mm: fix unmap_mapping_range high bits shift bug Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 32/43] mmc: meson-mx-sdhc: Fix initialization frozen issue Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 33/43] mmc: rpmb: fixes pause retune on all RPMB partitions Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 34/43] mmc: core: Cancel delayed work before releasing host Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 35/43] mmc: sdhci-sprd: Fix eMMC init failure after hw reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 36/43] powerpc: update ppc_save_regs to save current r1 in pt_regs Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 37/43] net: tls, update curr on splice as well Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 38/43] ipv6: remove max_size check inline with ipv4 Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 39/43] drm/qxl: fix UAF on handle creation Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 40/43] netfilter: nf_tables: Reject tables of unsupported family Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 41/43] PCI: Extract ATS disabling to a helper function Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 42/43] PCI: Disable ATS for specific Intel IPU E2000 devices Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.10 43/43] Revert "nvme: use command_id instead of req->tag in trace_nvme_complete_rq()" Greg Kroah-Hartman
2024-01-14 10:33 ` [PATCH 5.10 00/43] 5.10.208-rc1 review Pavel Machek
2024-01-15 4:48 ` Dominique Martinet
2024-01-15 9:51 ` Naresh Kamboju
2024-01-15 10:23 ` Jon Hunter
2024-01-15 11:47 ` Shreeya Patel
2024-01-15 19:09 ` Florian Fainelli
2024-01-15 19:47 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240113094206.977905274@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=eadavis@qq.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=jarkko@kernel.org \
--cc=jlayton@redhat.com \
--cc=kuba@kernel.org \
--cc=marc.dionne@auristor.com \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sfrench@us.ibm.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+94bbb75204a05da3d89f@syzkaller.appspotmail.com \
--cc=torvalds@linux-foundation.org \
--cc=wang840925@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.