Received: by 10.192.165.148 with SMTP id m20csp793618imm; Fri, 27 Apr 2018 07:37:07 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp6wzfmBJXZKmZBookYAi7h/s0Zqhf6AsNGVpNli5rqlcp8Ec7JgoGzjmH+04UrtUug0hF4 X-Received: by 2002:a17:902:7443:: with SMTP id e3-v6mr2521342plt.169.1524839827013; Fri, 27 Apr 2018 07:37:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524839826; cv=none; d=google.com; s=arc-20160816; b=h8hMhHmoQmDQehqxdnEXt5BviahhZQZkeg/gisfIPTeZbRyN1Ccgp+Q/Qp/JPhdDOF MUZmHLENzQx8KYXFn7gcqhOX0OloGkTvnw8xs+XUrneRcGMCf09dDnuDs++AV5kChlxf dR7ARfen285Y9afa0YEN8T4iGJ5D/AzSWyUehEmAaGqyigFtS0iSc0ZJWwsNrMcKDc+V KjEtb+ToEEiUXVx83TuAs31HPWuN53VFUoSDV4RZmf+NW9hwcpOrq+dWEH2KYoiXxlW5 VSIqZgw5vSIIkrgQggHewNeQpcZ4p/A4TGYIGu+ii+ZRsbLURSuVRntOH6f4ryOlEzOf cMmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=fbTI5RblhgXtvn3RB3qwGPcyCQ/hUdC4ODiIIUKCUQs=; b=mrLr97NJwyTisRNlqd/pJ3VPJy8L1hiiexnKBV4j19TePnZjFi2lLHqVdwKUoMKVnw g01btF2t6YrJ+gjMIQbpMpE0FHDW3YSs4yOMsmhnNGIAPtTrCAg8AL2H8e3/jcn9d8d+ /clwfRPKUccdAIhvAIVjejUrVIDfXCEApjAaT7q8e4CD8j7Z/fGf9BAmVvCcvvp+yE03 m9NOzXqs/LbZT4cxYTf95wHYaTsI8o0acQUCFXETI6moWCA4ISn75dnPUbicGDKaUv4y YnSELfQSKwiWpXat1DoOZ9MbrmpiBp474l6D2XGuFyporYk97Tslpb/OlRfrcg0wNieG 5LKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g185-v6si1310928pgc.155.2018.04.27.07.36.53; Fri, 27 Apr 2018 07:37:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934836AbeD0Ofo (ORCPT + 99 others); Fri, 27 Apr 2018 10:35:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:54968 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932882AbeD0OJl (ORCPT ); Fri, 27 Apr 2018 10:09:41 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2793D21864; Fri, 27 Apr 2018 14:09:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2793D21864 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Rutland , Eric Biggers , "David S. Miller" Subject: [PATCH 4.16 12/81] KEYS: DNS: limit the length of option strings Date: Fri, 27 Apr 2018 15:58:14 +0200 Message-Id: <20180427135743.968661075@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180427135743.216853156@linuxfoundation.org> References: <20180427135743.216853156@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers [ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ] Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/dns_resolver/dns_key.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_prepars next_opt = memchr(opt, '#', end - opt) ?: end; opt_len = next_opt - opt; - if (!opt_len) { - printk(KERN_WARNING - "Empty option to dns_resolver key\n"); + if (opt_len <= 0 || opt_len > 128) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); return -EINVAL; } @@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_prepars } bad_option_value: - printk(KERN_WARNING - "Option '%*.*s' to dns_resolver key:" - " bad/missing value\n", - opt_nlen, opt_nlen, opt); + pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", + opt_nlen, opt_nlen, opt); return -EINVAL; } while (opt = next_opt + 1, opt < end); }