From patchwork Tue Apr 17 19:07:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 899586 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="L6DCUQ7h"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40QZY920gQz9s1d for ; Wed, 18 Apr 2018 05:09:01 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752261AbeDQTI5 (ORCPT ); Tue, 17 Apr 2018 15:08:57 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:40371 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751836AbeDQTI4 (ORCPT ); Tue, 17 Apr 2018 15:08:56 -0400 Received: by mail-pf0-f193.google.com with SMTP id y66so12588334pfi.7; Tue, 17 Apr 2018 12:08:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=apDxfvYZUTlivm0NzCmPg2NndO2h/VTqR/Y669rkJNU=; b=L6DCUQ7hFyhlih8kCdB4Bp5b+6jIHLnyC+CjqKvvXLMO6DrwIFY/dxY7g1jMBpyK0v 8g57OD6XaUgZw35oB3lb5ZyCE4koHBEi5mbzjx5DyptBf4ZMlphSru5koG1TxXT+aT5B ryk9U/3QXpvj/nPe3/qq5XN7qAZGLKh2pkduagNbawYWXQEtuXLm986rmbW9hOBVcZHX 3Ofw7+bVWWQMttv+8mtCt6DK2AIzJy0lpStsnAgs6+y55Awrq7EwFCyucc4dpaBogdQ+ cr8Tj+0/PLG8n+QfZw4fv/A8cwqqZF4mOX6FKWZtrPycx4z/uQXjrXSIrBs355dX1n4/ YjCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=apDxfvYZUTlivm0NzCmPg2NndO2h/VTqR/Y669rkJNU=; b=hwEN87thpJLztLTXTnTf5+yN/cwhplGeDkUpE9gmvaq3aj4pneYYYSxVqv2QNt/Pvg tWRh1jABQCvsYWH0rxv+r1qNSJjXtk+PV0aAv51Jv301d0gd1NECBRhLWUcrnOqG7aKq vVotSvOc+j8ivu20Ht854k4UUtp89zbHWfMmKWg9pU9E+obiKV2zHUFUaRN7Jukoj7wM 5VYIAkqS6VwaBOA0pGfbDKFagaNAopX1iXtW57x7zQaPILW3atijaTmaecsrUNTZJvEU zYAtQZxxfHekvDGQrF8EUoz3c0kV6jR3VOCjNErEcPCLHwKsY/duHmqpfDZRfGiogdbN O6Jg== X-Gm-Message-State: ALQs6tBYef7QibHfnsdrzWvZdNmNFAQOIVDnPC7o+g1IrvB+01ZN8d+9 MBCOg4pViAH+n93+6PULtxXTWNCA X-Google-Smtp-Source: AIpwx48KEfW9MD1DFpb5cfoe20LBy9yIeVLca6o5uLpcgBbysSlOTKBgO0qF3QR1IJ4lSnqNDFoplw== X-Received: by 10.98.153.204 with SMTP id t73mr3027526pfk.121.1523992135155; Tue, 17 Apr 2018 12:08:55 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id 17sm35279397pfo.4.2018.04.17.12.08.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Apr 2018 12:08:54 -0700 (PDT) From: Eric Biggers To: netdev@vger.kernel.org, "David S . Miller" Cc: keyrings@vger.kernel.org, Mark Rutland , Eric Biggers Subject: [PATCH RESEND net v2] KEYS: DNS: limit the length of option strings Date: Tue, 17 Apr 2018 12:07:06 -0700 Message-Id: <20180417190706.217384-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.17.0.484.g0c8726318c-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Biggers Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers --- net/dns_resolver/dns_key.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 8396705deffc..40c851693f77 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) next_opt = memchr(opt, '#', end - opt) ?: end; opt_len = next_opt - opt; - if (!opt_len) { - printk(KERN_WARNING - "Empty option to dns_resolver key\n"); + if (opt_len <= 0 || opt_len > 128) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); return -EINVAL; } @@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) } bad_option_value: - printk(KERN_WARNING - "Option '%*.*s' to dns_resolver key:" - " bad/missing value\n", - opt_nlen, opt_nlen, opt); + pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", + opt_nlen, opt_nlen, opt); return -EINVAL; } while (opt = next_opt + 1, opt < end); }