Re: [PATCH] keys, dns: Fix missing size check of V1 server-list header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-01-10 at 13:19:49 +0800, Edward Adam Davis wrote:
> On Wed, 10 Jan 2024 12:40:41 +0800, Pengfei Xu wrote:
> > > Hi Linus, Edward,
> > >
> > > Here's Linus's patch dressed up with a commit message.  I would marginally
> > > prefer just to insert the missing size check, but I'm also fine with Linus's
> > > approach for now until we have different content types or newer versions.
> > >
> > > Note that I'm not sure whether I should require Linus's S-o-b since he made
> > > modifications or whether I should use a Codeveloped-by line for him.
> > >
> > > David
> > > ---
> > > From: Edward Adam Davis <eadavis@xxxxxx>
> > >
> > > keys, dns: Fix missing size check of V1 server-list header
> > >
> > > The dns_resolver_preparse() function has a check on the size of the payload
> > > for the basic header of the binary-style payload, but is missing a check
> > > for the size of the V1 server-list payload header after determining that's
> > > what we've been given.
> > >
> > > Fix this by getting rid of the the pointer to the basic header and just
> > > assuming that we have a V1 server-list payload and moving the V1 server
> > > list pointer inside the if-statement.  Dealing with other types and
> > > versions can be left for when such have been defined.
> > >
> > > This can be tested by doing the following with KASAN enabled:
> > >
> > >         echo -n -e '\x0\x0\x1\x2' | keyctl padd dns_resolver foo @p
> > >
> > > and produces an oops like the following:
> > >
> > >         BUG: KASAN: slab-out-of-bounds in dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
> > >         Read of size 1 at addr ffff888028894084 by task syz-executor265/5069
> > >         ...
> > >         Call Trace:
> > >          <TASK>
> > >          __dump_stack lib/dump_stack.c:88 [inline]
> > >          dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
> > >          print_address_description mm/kasan/report.c:377 [inline]
> > >          print_report+0xc3/0x620 mm/kasan/report.c:488
> > >          kasan_report+0xd9/0x110 mm/kasan/report.c:601
> > >          dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
> > >          __key_create_or_update+0x453/0xdf0 security/keys/key.c:842
> > >          key_create_or_update+0x42/0x50 security/keys/key.c:1007
> > >          __do_sys_add_key+0x29c/0x450 security/keys/keyctl.c:134
> > >          do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > >          do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> > >          entry_SYSCALL_64_after_hwframe+0x62/0x6a
> > >
> > > This patch was originally by Edward Adam Davis, but was modified by Linus.
> > >
> > > Fixes: b946001d3bb1 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
> > > Reported-and-tested-by: syzbot+94bbb75204a05da3d89f@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Link: https://lore.kernel.org/r/0000000000009b39bc060c73e209@xxxxxxxxxx/
> > > Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > > Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> > > Tested-by: David Howells <dhowells@xxxxxxxxxx>
> > > cc: Edward Adam Davis <eadavis@xxxxxx>
> > > cc: Simon Horman <horms@xxxxxxxxxx>
> > > cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > > cc: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> > > cc: Jeffrey E Altman <jaltman@xxxxxxxxxxxx>
> > > cc: Wang Lei <wang840925@xxxxxxxxx>
> > > cc: Jeff Layton <jlayton@xxxxxxxxxx>
> > > cc: Steve French <sfrench@xxxxxxxxxx>
> > > cc: Marc Dionne <marc.dionne@xxxxxxxxxxxx>
> > > cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> > > cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> > > cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> > > cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> > > cc: linux-afs@xxxxxxxxxxxxxxxxxxx
> > > cc: linux-cifs@xxxxxxxxxxxxxxx
> > > cc: linux-nfs@xxxxxxxxxxxxxxx
> > > cc: ceph-devel@xxxxxxxxxxxxxxx
> > > cc: keyrings@xxxxxxxxxxxxxxx
> > > cc: netdev@xxxxxxxxxxxxxxx
> > > ---
> > >  net/dns_resolver/dns_key.c |   19 +++++++++----------
> > >  1 file changed, 9 insertions(+), 10 deletions(-)
> > >
> > > diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
> > > index 2a6d363763a2..f18ca02aa95a 100644
> > > --- a/net/dns_resolver/dns_key.c
> > > +++ b/net/dns_resolver/dns_key.c
> > > @@ -91,8 +91,6 @@ const struct cred *dns_resolver_cache;
> > >  static int
> > >  dns_resolver_preparse(struct key_preparsed_payload *prep)
> > >  {
> > > -	const struct dns_server_list_v1_header *v1;
> > > -	const struct dns_payload_header *bin;
> > >  	struct user_key_payload *upayload;
> > >  	unsigned long derrno;
> > >  	int ret;
> > > @@ -103,27 +101,28 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
> > >  		return -EINVAL;
> > >
> > >  	if (data[0] == 0) {
> > > +		const struct dns_server_list_v1_header *v1;
> > > +
> > >  		/* It may be a server list. */
> > > -		if (datalen <= sizeof(*bin))
> > > +		if (datalen <= sizeof(*v1))
> > >  			return -EINVAL;
> > >
> > > -		bin = (const struct dns_payload_header *)data;
> > > -		kenter("[%u,%u],%u", bin->content, bin->version, datalen);
> > > -		if (bin->content != DNS_PAYLOAD_IS_SERVER_LIST) {
> > > +		v1 = (const struct dns_server_list_v1_header *)data;
> > > +		kenter("[%u,%u],%u", v1->hdr.content, v1->hdr.version, datalen);
> > > +		if (v1->hdr.content != DNS_PAYLOAD_IS_SERVER_LIST) {
> > >  			pr_warn_ratelimited(
> > >  				"dns_resolver: Unsupported content type (%u)\n",
> > > -				bin->content);
> > > +				v1->hdr.content);
> > >  			return -EINVAL;
> > >  		}
> > >
> > > -		if (bin->version != 1) {
> > > +		if (v1->hdr.version != 1) {
> > >  			pr_warn_ratelimited(
> > >  				"dns_resolver: Unsupported server list version (%u)\n",
> > > -				bin->version);
> > > +				v1->hdr.version);
> > >  			return -EINVAL;
> > >  		}
> > >
> > > -		v1 = (const struct dns_server_list_v1_header *)bin;
> > >  		if ((v1->status != DNS_LOOKUP_GOOD &&
> > >  		     v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
> > >  			if (prep->expiry == TIME64_MAX)
> > >
> > 
> > Hi Edward and kernel experts,
> > 
> >   Above patch(upstream commit: 1997b3cb4217b09) seems causing a keyctl05 case
> > to fail in LTP:
> > https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/keyctl/keyctl05.c
> > 
> > It could be reproduced on a bare metal platform.
> > Kconfig: https://raw.githubusercontent.com/xupengfe/kconfig_diff/main/config_v6.7-rc8
> > Seems general kconfig could reproduce this issue.
> > 
> >   Bisected info between v6.7-rc7(keyctl05 passed) and v6.7-rc8(keyctl05 failed)
> > is in attached.
> > 
> > keyctl05 failed in add_key with type "dns_resolver" syscall step tracked
> > by strace:
> > "
> > [pid 863107] add_key("dns_resolver", "desc", "\0\0\1\377\0", 5, KEY_SPEC_SESSION_KEYRING <unfinished ...>
> > [pid 863106] <... alarm resumed>)       = 30
> > [pid 863107] <... add_key resumed>)     = -1 EINVAL (Invalid argument)
> The reason for the failure of add_key() is that the length of the incoming data
> is 5, which is less than sizeof(*v1), so keyctl05.c failed.
> Suggest modifying keyctl05.c to increase the length of the incoming data to 6 
> bytes or more.

Thanks for your suggestion!
dns_server_list_v1_header struct is 6 u8 data instead of previous bin.

After increased the dns_res_payload to 7 bytes(6 bytes was still failed),
keyctl05 could be passed.
"
static char dns_res_payload[] = { 0x00, 0x00, 0x01, 0xff, 0x00, 0x00, 0x00 };
"

I will improve the case in LTP.

Thanks!

> > "
> > 
> > Passed behavior in v6.7-rc7 kernel:
> > "
> > [pid  6726] add_key("dns_resolver", "desc", "\0\0\1\377\0", 5, KEY_SPEC_SESSION_KEYRING <unfinished ...>
> > [pid  6725] rt_sigreturn({mask=[]})     = 61
> > [pid  6726] <... add_key resumed>)      = 1029222644
> > "
> > 
> > Do you mind to take a look for above issue?
> Edward,
> BR
> 




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux