From patchwork Fri Jun 8 16:20:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 926904 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="pif49Ef0"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 412SNC3yNPz9s3x for ; Sat, 9 Jun 2018 02:21:47 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752692AbeFHQVp (ORCPT ); Fri, 8 Jun 2018 12:21:45 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:45164 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751898AbeFHQVn (ORCPT ); Fri, 8 Jun 2018 12:21:43 -0400 Received: by mail-pf0-f194.google.com with SMTP id a22-v6so6875383pfo.12; Fri, 08 Jun 2018 09:21:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=F6NwrQlGWRlRWoSXXMwacDetaZjamp2JB64cYjuip8E=; b=pif49Ef06aeKtKfpp1Y9Fp01WCtSemKKaBtKh/JkWWBfzF2lQumX0hupEMVnr+s2fw tg5+KPcowa2op3t/K9IjhdW3LV2qRKLtT35DvcibAWSHgXqsMHiHUrxBrx2QR1xo7icC tVsEwmFE7fVSeLbf9AkIIx7xQDDtGFVvpPHAj6b+WJfhZqRb9Jgg8YPQ93NQwV0vpyJ+ Lj7cE5xrauTqsL0l7d7gmdTCD8ltPo93XJIhqw5qFVY4YFzHT/R7OMK04Ovse9b2LvNs 6ioc0PwvM0YH47SlrYAAmDj493XCfHk116pDenVjhwTnT04bgQwUT/YsLzFOfUeECsWB AMfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=F6NwrQlGWRlRWoSXXMwacDetaZjamp2JB64cYjuip8E=; b=GmYO+hx+wsRMoCXLs9SL+gdo4AHiBtslBlKIkJUPBQeqFtF7xcVgtkQXnCd1SjE9Cw nN7kK1rKQaZqfPcLO19rcV7lUB17usfSkX+T80TMfzuFFUaXtz4V0rbwbhU/HXrI4w91 uQpYpYnZKduihVQ7iK0JK6EPTl6ra6NbaRhgQZkC8oXezhZMft9faK5C0Rj4fw8zloWw yuoZBd/I8GPfXx61Mw2NIdY/9zqyQAZkyNwSaUkYnAyF1/GV+lbVgqSR1zdemUJTSBpe DcBbhDFwMvDGjPvIimFpCY2ySi//Gr5u4w1mQENu4sWeqhmda1hEdkxdnMsDTELsFsIf MSlg== X-Gm-Message-State: APt69E1/iVcHt9mmyXYQNwLION1C2WYeKQnBFyTqor1PknJ+Mommq1WY veUkbjPny31Wt49fhKCo2ZYqjN3a X-Google-Smtp-Source: ADUXVKIkakHbe124BD+9zFD71FWE8JPD2YaUfZBvM+XzaSNttry/kU93eAcmzZpzXxPhxuYFqj995A== X-Received: by 2002:a62:d0c5:: with SMTP id p188-v6mr6800351pfg.101.1528474902764; Fri, 08 Jun 2018 09:21:42 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id t134-v6sm47886694pgb.93.2018.06.08.09.21.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Jun 2018 09:21:41 -0700 (PDT) From: Eric Biggers To: netdev@vger.kernel.org, "David S . Miller" Cc: keyrings@vger.kernel.org, David Howells , Wang Lei , Eric Biggers Subject: [PATCH net] KEYS: DNS: fix parsing multiple options Date: Fri, 8 Jun 2018 09:20:37 -0700 Message-Id: <20180608162037.129802-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.18.0.rc1.242.g61856ae69a-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Biggers My recent fix for dns_resolver_preparse() printing very long strings was incomplete, as shown by syzbot which still managed to hit the WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key: precision 50001 too large WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0 The bug this time isn't just a printing bug, but also a logical error when multiple options ("#"-separated strings) are given in the key payload. Specifically, when separating an option string into name and value, if there is no value then the name is incorrectly considered to end at the end of the key payload, rather than the end of the current option. This bypasses validation of the option length, and also means that specifying multiple options is broken -- which presumably has gone unnoticed as there is currently only one valid option anyway. Fix it by correctly calculating the length of the option name. Reproducer: perl -e 'print "#A#", "\x00" x 50000' | keyctl padd dns_resolver desc @s Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers Reviewed-by: Simon Horman --- net/dns_resolver/dns_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 40c851693f77e..d448823d4d2ed 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -97,7 +97,7 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) return -EINVAL; } - eq = memchr(opt, '=', opt_len) ?: end; + eq = memchr(opt, '=', opt_len) ?: next_opt; opt_nlen = eq - opt; eq++; opt_vlen = next_opt - eq; /* will be -1 if no value */