From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH RESEND net-next v2] KEYS: DNS: limit the length of option strings Date: Tue, 17 Apr 2018 13:43:16 -0400 (EDT) Message-ID: <20180417.134316.1413649044013070735.davem@davemloft.net> References: <20180416212922.233194-1-ebiggers3@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, keyrings@vger.kernel.org, mark.rutland@arm.com, ebiggers@google.com To: ebiggers3@gmail.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:59022 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752221AbeDQRnS (ORCPT ); Tue, 17 Apr 2018 13:43:18 -0400 In-Reply-To: <20180416212922.233194-1-ebiggers3@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Biggers Date: Mon, 16 Apr 2018 14:29:22 -0700 > From: Eric Biggers > > Adding a dns_resolver key whose payload contains a very long option name > resulted in that string being printed in full. This hit the WARN_ONCE() > in set_precision() during the printk(), because printk() only supports a > precision of up to 32767 bytes: > > precision 1000000 too large > WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 > > Fix it by limiting option strings (combined name + value) to a much more > reasonable 128 bytes. The exact limit is arbitrary, but currently the > only recognized option is formatted as "dnserror=%lu" which fits well > within this limit. > > Also ratelimit the printks. > > Reproducer: > > perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s > > This bug was found using syzkaller. > > Reported-by: Mark Rutland > Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") > Signed-off-by: Eric Biggers Applied, thanks.