• Eric Biggers's avatar
    KEYS: DNS: fix parsing multiple options · 9c040fa9
    Eric Biggers authored
    BugLink: https://bugs.launchpad.net/bugs/1790884
    
    commit c604cb76 upstream.
    
    My recent fix for dns_resolver_preparse() printing very long strings was
    incomplete, as shown by syzbot which still managed to hit the
    WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
    
        precision 50001 too large
        WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
    
    The bug this time isn't just a printing bug, but also a logical error
    when multiple options ("#"-separated strings) are given in the key
    payload.  Specifically, when separating an option string into name and
    value, if there is no value then the name is incorrectly considered to
    end at the end of the key payload, rather than the end of the current
    option.  This bypasses validation of the option length, and also means
    that specifying multiple options is broken -- which presumably has gone
    unnoticed as there is currently only one valid option anyway.
    
    A similar problem also applied to option values, as the kstrtoul() when
    parsing the "dnserror" option will read past the end of the current
    option and into the next option.
    
    Fix these bugs by correctly computing the length of the option name and
    by copying the option value, null-terminated, into a temporary buffer.
    
    Reproducer for the WARN_ONCE() that syzbot hit:
    
        perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s
    
    Reproducer for "dnserror" option being parsed incorrectly (expected
    behavior is to fail when seeing the unknown option "foo", actual
    behavior was to read the dnserror value as "1#foo" and fail there):
    
        perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    9c040fa9
dns_key.c 8.19 KB