diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-03 18:48:01 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-03 18:48:01 -0500 |
| commit | b65a0e0c84cf489bfa00d6aa6c48abc5a237100f (patch) | |
| tree | 3ed9d7b094e003a7b0d98234cb5b490d671bf3a9 | |
| parent | 4438a02fc4956f5f61918095708f183f5c63a9d3 (diff) | |
| parent | 1362fa078dae16776cd439791c6605b224ea6171 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
| -rw-r--r-- | Documentation/networking/dns_resolver.txt | 9 | ||||
| -rw-r--r-- | net/dns_resolver/dns_key.c | 20 |
2 files changed, 25 insertions, 4 deletions
diff --git a/Documentation/networking/dns_resolver.txt b/Documentation/networking/dns_resolver.txt index aefd1e681804..04ca06325b08 100644 --- a/Documentation/networking/dns_resolver.txt +++ b/Documentation/networking/dns_resolver.txt | |||
| @@ -61,7 +61,6 @@ before the more general line given above as the first match is the one taken. | |||
| 61 | create dns_resolver foo:* * /usr/sbin/dns.foo %k | 61 | create dns_resolver foo:* * /usr/sbin/dns.foo %k |
| 62 | 62 | ||
| 63 | 63 | ||
| 64 | |||
| 65 | ===== | 64 | ===== |
| 66 | USAGE | 65 | USAGE |
| 67 | ===== | 66 | ===== |
| @@ -104,6 +103,14 @@ implemented in the module can be called after doing: | |||
| 104 | returned also. | 103 | returned also. |
| 105 | 104 | ||
| 106 | 105 | ||
| 106 | =============================== | ||
| 107 | READING DNS KEYS FROM USERSPACE | ||
| 108 | =============================== | ||
| 109 | |||
| 110 | Keys of dns_resolver type can be read from userspace using keyctl_read() or | ||
| 111 | "keyctl read/print/pipe". | ||
| 112 | |||
| 113 | |||
| 107 | ========= | 114 | ========= |
| 108 | MECHANISM | 115 | MECHANISM |
| 109 | ========= | 116 | ========= |
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 739435a6af39..cfa7a5e1c5c9 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c | |||
| @@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen) | |||
| 67 | size_t result_len = 0; | 67 | size_t result_len = 0; |
| 68 | const char *data = _data, *end, *opt; | 68 | const char *data = _data, *end, *opt; |
| 69 | 69 | ||
| 70 | kenter("%%%d,%s,'%s',%zu", | 70 | kenter("%%%d,%s,'%*.*s',%zu", |
| 71 | key->serial, key->description, data, datalen); | 71 | key->serial, key->description, |
| 72 | (int)datalen, (int)datalen, data, datalen); | ||
| 72 | 73 | ||
| 73 | if (datalen <= 1 || !data || data[datalen - 1] != '\0') | 74 | if (datalen <= 1 || !data || data[datalen - 1] != '\0') |
| 74 | return -EINVAL; | 75 | return -EINVAL; |
| @@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m) | |||
| 217 | seq_printf(m, ": %u", key->datalen); | 218 | seq_printf(m, ": %u", key->datalen); |
| 218 | } | 219 | } |
| 219 | 220 | ||
| 221 | /* | ||
| 222 | * read the DNS data | ||
| 223 | * - the key's semaphore is read-locked | ||
| 224 | */ | ||
| 225 | static long dns_resolver_read(const struct key *key, | ||
| 226 | char __user *buffer, size_t buflen) | ||
| 227 | { | ||
| 228 | if (key->type_data.x[0]) | ||
| 229 | return key->type_data.x[0]; | ||
| 230 | |||
| 231 | return user_read(key, buffer, buflen); | ||
| 232 | } | ||
| 233 | |||
| 220 | struct key_type key_type_dns_resolver = { | 234 | struct key_type key_type_dns_resolver = { |
| 221 | .name = "dns_resolver", | 235 | .name = "dns_resolver", |
| 222 | .instantiate = dns_resolver_instantiate, | 236 | .instantiate = dns_resolver_instantiate, |
| @@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = { | |||
| 224 | .revoke = user_revoke, | 238 | .revoke = user_revoke, |
| 225 | .destroy = user_destroy, | 239 | .destroy = user_destroy, |
| 226 | .describe = dns_resolver_describe, | 240 | .describe = dns_resolver_describe, |
| 227 | .read = user_read, | 241 | .read = dns_resolver_read, |
| 228 | }; | 242 | }; |
| 229 | 243 | ||
| 230 | static int __init init_dns_resolver(void) | 244 | static int __init init_dns_resolver(void) |