17 Mar, 2011

1 commit

  • Improve /proc/keys by:

    (1) Don't attempt to summarise the payload of a negated key. It won't have
    one. To this end, a helper function - key_is_instantiated() has been
    added that allows the caller to find out whether the key is positively
    instantiated (as opposed to being uninstantiated or negatively

    (2) Do show keys that are negative, expired or revoked rather than hiding
    them. This requires an override flag (no_state_check) to be passed to
    search_my_process_keyrings() and keyring_search_aux() to suppress this

    Without this, keys that are possessed by the caller, but only grant
    permissions to the caller if possessed are skipped as the possession check

    Keys that are visible due to user, group or other checks are visible with
    or without this patch.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells

04 Mar, 2011

1 commit

  • When a DNS resolver key is instantiated with an error indication, attempts to
    read that key will result in an oops because user_read() is expecting there to
    be a payload - and there isn't one [CVE-2011-1076].

    Give the DNS resolver key its own read handler that returns the error cached in
    key->type_data.x[0] as an error rather than crashing.

    Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
    amount of data it prints, since the data is not necessarily NUL-terminated.

    The buggy code was added in:

    commit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09
    Author: Wang Lei
    Date: Wed Aug 11 09:37:58 2010 +0100
    Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]

    This can trivially be reproduced by any user with the following program
    compiled with -lkeyutils:

    static char payload[] = "#dnserror=6";
    int main()
    key_serial_t key;
    key = add_key("dns_resolver", "a", payload, sizeof(payload),
    if (key == -1)
    err(1, "add_key");
    if (keyctl_read(key, NULL, 0) == -1)
    err(1, "read_key");
    return 0;

    What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:

    dns-break: read_key: No such device or address

    but instead the kernel oopses.

    This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
    as both of those cut the data down below the NUL termination that must be
    included in the data. Without this dns_resolver_instantiate() will return
    -EINVAL and the key will not be instantiated such that it can be read.

    The oops looks like:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
    IP: [] user_read+0x4f/0x8f
    PGD 3bdf8067 PUD 385b9067 PMD 0
    Oops: 0000 [#1] SMP
    last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
    CPU 0
    Modules linked in:

    Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY
    RIP: 0010:[] [] user_read+0x4f/0x8f
    RSP: 0018:ffff88003bf47f08 EFLAGS: 00010246
    RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
    RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
    R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
    FS: 00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
    ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
    ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
    00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
    Call Trace:
    [] keyctl_read_key+0xac/0xcf
    [] sys_keyctl+0x75/0xb6
    [] system_call_fastpath+0x16/0x1b
    Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
    RIP [] user_read+0x4f/0x8f
    CR2: 0000000000000010

    Signed-off-by: David Howells
    Acked-by: Jeff Layton
    cc: Wang Lei
    Signed-off-by: James Morris

    David Howells

23 Nov, 2010

1 commit

12 Aug, 2010

1 commit

  • If the DNS server returns an error, allow that to be cached in the DNS resolver
    key in lieu of a value. Userspace passes the desired error number as an option
    in the payload:


    Userspace must map h_errno from the name resolution routines to an appropriate
    Linux error before passing it up. Something like the following mapping is


    in lieu of Linux errors specifically for representing name service errors. The
    filesystem must map these errors appropropriately before passing them to
    userspace. AFS is made to map ENODATA and EAGAIN to EDESTADDRREQ for the
    return to userspace; ECONNREFUSED is allowed to stand as is.

    The error can be seen in /proc/keys as a negative number after the description
    of the key. Compare, for example, the following key entries:

    2f97238c I--Q-- 1 53s 3f010000 0 0 dns_resol afsdb:grand.centrall.org: -61
    338bfbbe I--Q-- 1 59m 3f010000 0 0 dns_resol afsdb:grand.central.org: 37

    If the error option is supplied in the payload, the main part of the payload is
    discarded. The key should have an expiry time set by userspace.

    Signed-off-by: Wang Lei
    Signed-off-by: David Howells
    Acked-by: Jeff Layton
    Signed-off-by: Steve French

    Wang Lei

06 Aug, 2010

4 commits

  • CC: Dave Howells
    Signed-off-by: Steve French

    Steve French
  • Fixes for the DNS query module, including:

    (1) Use 'negative' instead of '-ve' in the documentation.

    (2) Mark the kdoc comment with '/**' on dns_query().

    Reported-by: Randy Dunlap
    Signed-off-by: David Howells
    Signed-off-by: Steve French

    David Howells
  • Fixes build errors:

    net/dns_resolver/dns_key.c: In function 'init_dns_resolver':
    net/dns_resolver/dns_key.c:170: error: implicit declaration of function 'IS_ERR'
    net/dns_resolver/dns_key.c:171: error: implicit declaration of function 'PTR_ERR'
    net/dns_resolver/dns_query.c: In function 'dns_query':
    net/dns_resolver/dns_query.c:126: error: implicit declaration of function 'IS_ERR'
    net/dns_resolver/dns_query.c:127: error: implicit declaration of function 'PTR_ERR'

    Signed-off-by: Stephen Rothwell
    Signed-off-by: David Howells
    Signed-off-by: Steve French

    Stephen Rothwell
  • Separate out the DNS resolver key type from the CIFS filesystem into its own
    module so that it can be made available for general use, including the AFS
    filesystem module.

    This facility makes it possible for the kernel to upcall to userspace to have
    it issue DNS requests, package up the replies and present them to the kernel
    in a useful form. The kernel is then able to cache the DNS replies as keys
    can be retained in keyrings.

    Resolver keys are of type "dns_resolver" and have a case-insensitive
    description that is of the form "[:]". The optional
    indicates the particular DNS lookup and packaging that's required. The
    is the query to be made.

    If isn't given, a basic hostname to IP address lookup is made, and the
    result is stored in the key in the form of a printable string consisting of a
    comma-separated list of IPv4 and IPv6 addresses.

    This key type is supported by userspace helpers driven from /sbin/request-key
    and configured through /etc/request-key.conf. The cifs.upcall utility is
    invoked for UNC path server name to IP address resolution.

    The CIFS functionality is encapsulated by the dns_resolve_unc_to_ip() function,
    which is used to resolve a UNC path to an IP address for CIFS filesystem. This
    part remains in the CIFS module for now.

    See the added Documentation/networking/dns_resolver.txt for more information.

    Signed-off-by: Wang Lei
    Signed-off-by: David Howells
    Acked-by: Jeff Layton
    Signed-off-by: Steve French

    Wang Lei