Received: by 10.192.165.148 with SMTP id m20csp814876imm; Fri, 27 Apr 2018 07:58:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrFRAs53N2d+ajyQlqLBrCcHZZQ95VuN4/jJupiqouAUUR+7tWW9WTjps47zNw6PGJqe288 X-Received: by 2002:a63:3c0c:: with SMTP id j12-v6mr2497400pga.203.1524841131335; Fri, 27 Apr 2018 07:58:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524841131; cv=none; d=google.com; s=arc-20160816; b=Vm65zKRDs+zJNW0p1PmDkRcfvXhxlOOJp4M7iyBXDRHSoIEbVT1HrfxYCjXYLp73T/ QEFtFW4b4OitjlytepIsqPVCPoYj2Lvv6+dm5INBK+yAJdbpKu0vsfDCNWDUuVIrGN1m 10KFDc8YIUpwr6So7jft+oTsG3odtAFqnYlxyxz3wIfxxzQFwgmzmxLl6LF3oVVj8FRV 63Yhhi67BRJoVRs48it17QfLZJkBxKocej0h/fmmwu5oQOEX27QwBPEc4/ziYiQpEvh7 QTkzgxJFxMsYA8AnkLBhvC2520BqklPGKwAPxMoSmjyM8YYgDBBQ1IFlGxZL3E+j4JkS fWpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=EkwJsIEAvVUA2YoxZ1QQHbAKyt5jDe9lT4PTlhfPAmY=; b=ypdSC8Czm1tcPQiJkW3t+0Os8yAeF/UOb+7OAD0xZyMyC8l67zWZOS3qBXFE/O5+QW Zxonu8g30QliL7jzK0fZxw1d+pSsKQJdorgs0zYQiOq/WXwEWRH3oMWFOAPaWNIDAERN HiNpS6vW62uodvWZALrGrNGGOVB4IgnfGXSZghZwXXINckw0Q87/L+ovyvKktApc+nil VSOpmA1e38rdjUC4SiXPiwXPhwWjC4G0ZF33hQHRrdOC/QNGG3jeNihb/uBAhB/P9CTx lGl48MOz7EyHeA0c/lYSEVlz+iKhCAggRDvo5+pWi5YrZ42bkT3N0irUT2d28QlWkBNe snCQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i35-v6si1344420plg.504.2018.04.27.07.58.37; Fri, 27 Apr 2018 07:58:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934062AbeD0OGK (ORCPT + 99 others); Fri, 27 Apr 2018 10:06:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:52190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933556AbeD0OGG (ORCPT ); Fri, 27 Apr 2018 10:06:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BBF9C21890; Fri, 27 Apr 2018 14:06:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BBF9C21890 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Rutland , Eric Biggers , "David S. Miller" Subject: [PATCH 4.14 11/80] KEYS: DNS: limit the length of option strings Date: Fri, 27 Apr 2018 15:58:04 +0200 Message-Id: <20180427135733.515538966@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180427135732.928644313@linuxfoundation.org> References: <20180427135732.928644313@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers [ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ] Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767 bytes: precision 1000000 too large WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 Fix it by limiting option strings (combined name + value) to a much more reasonable 128 bytes. The exact limit is arbitrary, but currently the only recognized option is formatted as "dnserror=%lu" which fits well within this limit. Also ratelimit the printks. Reproducer: perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s This bug was found using syzkaller. Reported-by: Mark Rutland Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") Signed-off-by: Eric Biggers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/dns_resolver/dns_key.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_prepars next_opt = memchr(opt, '#', end - opt) ?: end; opt_len = next_opt - opt; - if (!opt_len) { - printk(KERN_WARNING - "Empty option to dns_resolver key\n"); + if (opt_len <= 0 || opt_len > 128) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); return -EINVAL; } @@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_prepars } bad_option_value: - printk(KERN_WARNING - "Option '%*.*s' to dns_resolver key:" - " bad/missing value\n", - opt_nlen, opt_nlen, opt); + pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", + opt_nlen, opt_nlen, opt); return -EINVAL; } while (opt = next_opt + 1, opt < end); }