From patchwork Wed Feb 28 19:05:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 879312 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="DfxfMe5/"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zs4n33tzPz9s2K for ; Thu, 1 Mar 2018 06:07:03 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933083AbeB1THA (ORCPT ); Wed, 28 Feb 2018 14:07:00 -0500 Received: from mail-it0-f67.google.com ([209.85.214.67]:56098 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932365AbeB1TG7 (ORCPT ); Wed, 28 Feb 2018 14:06:59 -0500 Received: by mail-it0-f67.google.com with SMTP id n7so4703844ita.5; Wed, 28 Feb 2018 11:06:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=r+2kmyG5yPzRbqZMGyDiXycBJ0ZzEZ1+N4R2nfiDzaI=; b=DfxfMe5/fayrSbKGKS/amzGcQoilkNC3JFwhjM+ppqADA767GmtLT+NKqa4RBiSu12 Pg/qeEfG+2PbvXq3hEKRUZgFR8JdVuMsgP4DU+nrs9gEWYE5o1dA7O4boHBjZ3OxQQXT Q25cBvovCt3qwm6oqgBenEXgKYfNDkHXv7OfQSFA24ClqMDnxtf6CJTpYDvGfkwvZ35a mzcM0G8a1tRM++RmQvlJKS7qvkA7UwnkbjCdlixzJPYrScIqb2Gp+TdMRAGPG6p4CFhD 1yW72m6t3grWF28XsRYN7saR3aV8SSFHrYiKIfEmwqW3TyNXxAceJzuAIsq77mxiLQP2 hw2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=r+2kmyG5yPzRbqZMGyDiXycBJ0ZzEZ1+N4R2nfiDzaI=; b=mMyBwB57tK2kYncM3dYmIhZiaOLDaArzINN9XTUFaVv7CA5unngnrtT7rU6Kyw3JXy OHMD28pLEtJm4R0xMM8HrTcW9JYNTps3a5Ydw2o+Qd43A7FsZNzNmltmT2SwxO/vcJq/ Z+vtzgh1Dj81GxZweg+d8nOSw8dfr05rD/5oMzGL9jrrVzI6Ttg4uET3pThxwcxTnmA/ lV3hnhvsc2DyEX2SAmnnMNYzWJOUyEsVyIoYSe+J+vx+EXQkPUdCHz8J1GMjjt5Uw7NH BqY9aUCYCka6EidAfo636SKZOmi8U3gWeYHMXrFPglzMu6U3H1vQH4v6snRIiqfwyKP8 N/nA== X-Gm-Message-State: APf1xPCfS+t1RzQN5CPlmnX5+Xa9RzfmUDS6kYwm4Qu7h+4BCQpr7Jkm m0umR7RWZubB9c3hTb7JPWBMtIl6 X-Google-Smtp-Source: AG47ELvFWLZDjretxACGa5LvfECxfK5B83/rRPdyXNmctSJrrzp1llZeegUzBN1ipchykoVm5MupMw== X-Received: by 10.36.105.84 with SMTP id e81mr21573836itc.123.1519844817976; Wed, 28 Feb 2018 11:06:57 -0800 (PST) Received: from ebiggers-linuxstation.kir.corp.google.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id a188sm1978465itg.30.2018.02.28.11.06.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Feb 2018 11:06:57 -0800 (PST) From: Eric Biggers To: keyrings@vger.kernel.org, David Howells Cc: netdev@vger.kernel.org, Mark Rutland , Eric Biggers Subject: [PATCH v2] KEYS: DNS: limit the length of option strings Date: Wed, 28 Feb 2018 11:05:10 -0800 Message-Id: <20180228190510.215801-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.16.2.395.g2e18187dfd-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Biggers Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Cc: # v2.6.36+ Signed-off-by: Eric Biggers --- net/dns_resolver/dns_key.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index e1d4d898a007..ed372d550137 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) next_opt = memchr(opt, '#', end - opt) ?: end; opt_len = next_opt - opt; - if (!opt_len) { - printk(KERN_WARNING - "Empty option to dns_resolver key\n"); + if (opt_len <= 0 || opt_len > 128) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); return -EINVAL; } @@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) } bad_option_value: - printk(KERN_WARNING - "Option '%*.*s' to dns_resolver key:" - " bad/missing value\n", - opt_nlen, opt_nlen, opt); + pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", + opt_nlen, opt_nlen, opt); return -EINVAL; } while (opt = next_opt + 1, opt < end); }