aboutsummaryrefslogtreecommitdiffstats
path: root/fs/cifs/cifsfs.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2010-07-22 07:53:18 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-07-22 12:42:40 -0400
commit4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 (patch)
treea05cfa65c298edb1f034923ff6eb76839b5bc0dd /fs/cifs/cifsfs.c
parentcd5b8f8755a89a57fc8c408d284b8b613f090345 (diff)
CIFS: Fix a malicious redirect problem in the DNS lookup code
Fix the security problem in the CIFS filesystem DNS lookup code in which a malicious redirect could be installed by a random user by simply adding a result record into one of their keyrings with add_key() and then invoking a CIFS CFS lookup [CVE-2010-2524]. This is done by creating an internal keyring specifically for the caching of DNS lookups. To enforce the use of this keyring, the module init routine creates a set of override credentials with the keyring installed as the thread keyring and instructs request_key() to only install lookup result keys in that keyring. The override is then applied around the call to request_key(). This has some additional benefits when a kernel service uses this module to request a key: (1) The result keys are owned by root, not the user that caused the lookup. (2) The result keys don't pop up in the user's keyrings. (3) The result keys don't come out of the quota of the user that caused the lookup. The keyring can be viewed as root by doing cat /proc/keys: 2a0ca6c3 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: 1/4 It can then be listed with 'keyctl list' by root. # keyctl list 0x2a0ca6c3 1 key in keyring: 726766307: --alswrv 0 0 dns_resolver: foo.bar.com Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-and-Tested-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <smfrench@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/cifs/cifsfs.c')
-rw-r--r--fs/cifs/cifsfs.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 484e52bb40bb..2cb1a70214d7 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -923,7 +923,7 @@ init_cifs(void)
923 goto out_unregister_filesystem; 923 goto out_unregister_filesystem;
924#endif 924#endif
925#ifdef CONFIG_CIFS_DFS_UPCALL 925#ifdef CONFIG_CIFS_DFS_UPCALL
926 rc = register_key_type(&key_type_dns_resolver); 926 rc = cifs_init_dns_resolver();
927 if (rc) 927 if (rc)
928 goto out_unregister_key_type; 928 goto out_unregister_key_type;
929#endif 929#endif
@@ -935,7 +935,7 @@ init_cifs(void)
935 935
936 out_unregister_resolver_key: 936 out_unregister_resolver_key:
937#ifdef CONFIG_CIFS_DFS_UPCALL 937#ifdef CONFIG_CIFS_DFS_UPCALL
938 unregister_key_type(&key_type_dns_resolver); 938 cifs_exit_dns_resolver();
939 out_unregister_key_type: 939 out_unregister_key_type:
940#endif 940#endif
941#ifdef CONFIG_CIFS_UPCALL 941#ifdef CONFIG_CIFS_UPCALL
@@ -961,7 +961,7 @@ exit_cifs(void)
961 cifs_proc_clean(); 961 cifs_proc_clean();
962#ifdef CONFIG_CIFS_DFS_UPCALL 962#ifdef CONFIG_CIFS_DFS_UPCALL
963 cifs_dfs_release_automount_timer(); 963 cifs_dfs_release_automount_timer();
964 unregister_key_type(&key_type_dns_resolver); 964 cifs_exit_dns_resolver();
965#endif 965#endif
966#ifdef CONFIG_CIFS_UPCALL 966#ifdef CONFIG_CIFS_UPCALL
967 unregister_key_type(&cifs_spnego_key_type); 967 unregister_key_type(&cifs_spnego_key_type);