From patchwork Mon Apr 16 21:29:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 898945 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="XdkloKAc"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40Q1m2333qz9rx7 for ; Tue, 17 Apr 2018 07:31:30 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752250AbeDPVb2 (ORCPT ); Mon, 16 Apr 2018 17:31:28 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:36387 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751010AbeDPVb0 (ORCPT ); Mon, 16 Apr 2018 17:31:26 -0400 Received: by mail-pf0-f193.google.com with SMTP id g14so11147626pfh.3; Mon, 16 Apr 2018 14:31:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=apDxfvYZUTlivm0NzCmPg2NndO2h/VTqR/Y669rkJNU=; b=XdkloKAcQ/393u5tlw9EBPepRM02lENSFr2nSv8PC9FXBto4e5Xjs+B8UhbYpxmbEa CTnfsxi7CifBx/JtkMeNNyxtqHib5EwnhCpXvfaa8zw9JgySfR4aHoteJ7uK5Oto1j/a btwCe4OBUQQOGBLIQ/42LQrpT/ubP7RinHY9gmpfcgOlWirSWijJQY8beg3U/YrE2UEh yAFeCSx58NunKEAWgXNWuvMSCZocoABQr27137O/mqctOkodJOCJymADDKaTWSKaDxbK era8bNwDIpsm5CcME8jizMxUpKVWGqF7/GtnriZ/eLNkqBrfCz0aVU8EoWwXHtgeEYvH k9GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=apDxfvYZUTlivm0NzCmPg2NndO2h/VTqR/Y669rkJNU=; b=gGgqzaxUb7YSPMsUxFcX+ozGhXi/U5NB05Y0GhO+z959K+Ry/4plFsKMklRNQDKaxg z+PlO1fQEBBhEOyclMIVxj/CAgad9unFHuTh1Yg8LGKYDUNr3jb5z2EYE+64NIAJnJZO 8Z303nS5IqXP6lhKWcMm5f7QowRG6g2qMVovClgZJ97NzjW7LiMWN3EMkxwu1xG6r9/6 uTUH2R7TW58bVCx1R5c6G8Fc39Yn5Urd6Vel+isS3ZfAuPL88yI0mI5ov6mCd2+Fw2Wv DB1zIiHDBikDfdKbOHz+PP9+Z0keC0/qKNJo+bchymYRKkdeh2THfEOPVsuZIOQgN/X+ fO4A== X-Gm-Message-State: ALQs6tDZw/upSh0NaKHdz+vd3TQmI8WOKNZLwC17RFKWmk4zkFwuafxe zS0bAnRrm7RonWGRq+M96FqRN2A+ X-Google-Smtp-Source: AIpwx48tMKlsb9d+fZZiqEHvOrHgxxt5vCXF1hvroG05pwHZo1L4jXUOPYtVUxgDPJQ7TS3xF3t49g== X-Received: by 10.98.59.207 with SMTP id w76mr9965081pfj.36.1523914286170; Mon, 16 Apr 2018 14:31:26 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id g26sm31697524pfk.173.2018.04.16.14.31.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Apr 2018 14:31:25 -0700 (PDT) From: Eric Biggers To: netdev@vger.kernel.org, "David S . Miller" Cc: keyrings@vger.kernel.org, Mark Rutland , Eric Biggers Subject: [PATCH RESEND net-next v2] KEYS: DNS: limit the length of option strings Date: Mon, 16 Apr 2018 14:29:22 -0700 Message-Id: <20180416212922.233194-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.17.0.484.g0c8726318c-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Biggers Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers --- net/dns_resolver/dns_key.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 8396705deffc..40c851693f77 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) next_opt = memchr(opt, '#', end - opt) ?: end; opt_len = next_opt - opt; - if (!opt_len) { - printk(KERN_WARNING - "Empty option to dns_resolver key\n"); + if (opt_len <= 0 || opt_len > 128) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); return -EINVAL; } @@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) } bad_option_value: - printk(KERN_WARNING - "Option '%*.*s' to dns_resolver key:" - " bad/missing value\n", - opt_nlen, opt_nlen, opt); + pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", + opt_nlen, opt_nlen, opt); return -EINVAL; } while (opt = next_opt + 1, opt < end); }