From patchwork Wed Feb 28 01:49:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 878898
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ioyR4kS6"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3zrdnG0Fw2z9s3p
	for <patchwork-incoming@ozlabs.org>;
	Wed, 28 Feb 2018 12:50:41 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751628AbeB1Buh (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 27 Feb 2018 20:50:37 -0500
Received: from mail-it0-f68.google.com ([209.85.214.68]:51253 "EHLO
	mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751605AbeB1Buf (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 27 Feb 2018 20:50:35 -0500
Received: by mail-it0-f68.google.com with SMTP id o9so1588407itc.1;
	Tue, 27 Feb 2018 17:50:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=Gx+OOTrF9uCaS0zkTfrC6OUss2N+s8WMTQg6mmBU92Q=;
	b=ioyR4kS6+BgPzrAQgAvu7CuihIwfYbyLEwWRZerlDfqDH5DApOaEk0Etkrw6DCBiop
	9A33xKbr+4RZOUhAp9zGe4zuRgp+ukCE4ptGHvsHThsVgVQewSI+zObqqcujpEKdhoGq
	gQ4lp5ybpyqxe6QU6Nl/PtVw+SmEXTV5W/ErGRTNa2+f7kEB32nk7QKMYb4DSwl7dg4D
	TC9RyCiRJY690kuWv6PHnSZoHBJSDWdmCDDHeKOd3fUcqm0Xt/9b9qJHkYx7yw/MqN6J
	ziYKTSt5VNeMs6prZpBRGP7LHXEf89xh+QVlEO5R7dPimnzV5eZyDB0s+kT248QPztmT
	Nz+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Gx+OOTrF9uCaS0zkTfrC6OUss2N+s8WMTQg6mmBU92Q=;
	b=Y/8zDK3DubD3w3iyG4kSTgan6chXQ/DLXKL8UZtzy1PDmQEWeDFlwyfg/z0T3IS+GI
	FZQ3vKifx/xdjy/onMVmucUJdB0LPWg5kHx9a3lrVD2Ty6g03M1Gztex+mP87Pshqrcl
	ocOs5SXUrkRXqoahWfshsd8o+CgrhVZeG+GYfENXE5mLw/NlSMukumcOM+91UBGP2aER
	BRQnMhrCe0CSsLGhGlXwZki8OEPOUXla4c2QMgsLQhH+bTXiCXlnhyTvMd9lpdVupUHF
	kZSwrQmlUOgfofob8da56ddfYRYbUlLFKj7hKL0E3uzJKMMgmEBF+onjRk4cEIshS/u+
	v4nA==
X-Gm-Message-State: APf1xPBTvFh5zahi8WMnckQapCoP7Q+6ou4GMJPy80nVc108Lm4e2L/w
	Ct6mBgVTetmSL3QDWuq73h3KpUJf
X-Google-Smtp-Source: 
 AG47ELudRJlmza/eTzaCvojAgY32j20GeIE+80EH64n6DiS12BDvMtRc0MJRjELjFK/fM4tl9tI6Og==
X-Received: by 10.36.40.72 with SMTP id h69mr18861609ith.102.1519782634910;
	Tue, 27 Feb 2018 17:50:34 -0800 (PST)
Received: from ebiggers-linuxstation.kir.corp.google.com
	([2620:15c:17:3:dc28:5c82:b905:e8a8])
	by smtp.gmail.com with ESMTPSA id
	l16sm332707ioc.80.2018.02.27.17.50.34
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 27 Feb 2018 17:50:34 -0800 (PST)
From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Cc: netdev@vger.kernel.org, Mark Rutland <mark.rutland@arm.com>,
	Eric Biggers <ebiggers@google.com>
Subject: [PATCH] KEYS: DNS: limit the length of option strings
Date: Tue, 27 Feb 2018 17:49:05 -0800
Message-Id: <20180228014905.68153-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.16.2.395.g2e18187dfd-goog
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

Adding a dns_resolver key whose payload contains a very long option name
resulted in that string being printed in full.  This hit the WARN_ONCE()
in set_precision() during the printk(), because printk() only supports a
precision of up to 32767 bytes:

    precision 1000000 too large
    WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0

Fix it by limiting option strings (combined name + value) to a much more
reasonable 128 bytes.  The exact limit is arbitrary, but currently the
only recognized option is formatted as "dnserror=%lu" which fits well
within this limit.

Reproducer:

    perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s

This bug was found using syzkaller.

Reported-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
Cc: <stable@vger.kernel.org> # v2.6.36+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 net/dns_resolver/dns_key.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index e1d4d898a007..7c0aae2e512d 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
 
 			next_opt = memchr(opt, '#', end - opt) ?: end;
 			opt_len = next_opt - opt;
-			if (!opt_len) {
-				printk(KERN_WARNING
-				       "Empty option to dns_resolver key\n");
+			if (opt_len <= 0 || opt_len > 128) {
+				pr_warn("Invalid option length (%d) for dns_resolver key\n",
+					opt_len);
 				return -EINVAL;
 			}