Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]

Linus Torvalds 15 years ago b65a0e0c 4438a02f

+25 -4

2 changed files

expand all

Documentation

networking

dns_resolver.txt

net

dns_resolver

dns_key.c

+8 -1

Documentation/networking/dns_resolver.txt

··· 61 61 create dns_resolver foo:* * /usr/sbin/dns.foo %k 62 62 63 63 64 - 65 64 ===== 66 65 USAGE 67 66 ===== ··· 101 102 102 103 If _expiry is non-NULL, the expiry time (TTL) of the result will be 103 104 returned also. 105 + 106 + 107 + =============================== 108 + READING DNS KEYS FROM USERSPACE 109 + =============================== 110 + 111 + Keys of dns_resolver type can be read from userspace using keyctl_read() or 112 + "keyctl read/print/pipe". 104 113 105 114 106 115 =========

+17 -3

net/dns_resolver/dns_key.c

··· 67 67 size_t result_len = 0; 68 68 const char *data = _data, *end, *opt; 69 69 70 - kenter("%%%d,%s,'%s',%zu", 71 - key->serial, key->description, data, datalen); 70 + kenter("%%%d,%s,'%*.*s',%zu", 71 + key->serial, key->description, 72 + (int)datalen, (int)datalen, data, datalen); 72 73 73 74 if (datalen <= 1 || !data || data[datalen - 1] != '\0') 74 75 return -EINVAL; ··· 218 217 seq_printf(m, ": %u", key->datalen); 219 218 } 220 219 220 + /* 221 + * read the DNS data 222 + * - the key's semaphore is read-locked 223 + */ 224 + static long dns_resolver_read(const struct key *key, 225 + char __user *buffer, size_t buflen) 226 + { 227 + if (key->type_data.x[0]) 228 + return key->type_data.x[0]; 229 + 230 + return user_read(key, buffer, buflen); 231 + } 232 + 221 233 struct key_type key_type_dns_resolver = { 222 234 .name = "dns_resolver", 223 235 .instantiate = dns_resolver_instantiate, ··· 238 224 .revoke = user_revoke, 239 225 .destroy = user_destroy, 240 226 .describe = dns_resolver_describe, 241 - .read = user_read, 227 + .read = dns_resolver_read, 242 228 }; 243 229 244 230 static int __init init_dns_resolver(void)