Commit b65a0e0c authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of...

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
parents 4438a02f 1362fa07
...@@ -61,7 +61,6 @@ before the more general line given above as the first match is the one taken. ...@@ -61,7 +61,6 @@ before the more general line given above as the first match is the one taken.
create dns_resolver foo:* * /usr/sbin/dns.foo %k create dns_resolver foo:* * /usr/sbin/dns.foo %k
===== =====
USAGE USAGE
===== =====
...@@ -104,6 +103,14 @@ implemented in the module can be called after doing: ...@@ -104,6 +103,14 @@ implemented in the module can be called after doing:
returned also. returned also.
===============================
READING DNS KEYS FROM USERSPACE
===============================
Keys of dns_resolver type can be read from userspace using keyctl_read() or
"keyctl read/print/pipe".
========= =========
MECHANISM MECHANISM
========= =========
......
...@@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen) ...@@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen)
size_t result_len = 0; size_t result_len = 0;
const char *data = _data, *end, *opt; const char *data = _data, *end, *opt;
kenter("%%%d,%s,'%s',%zu", kenter("%%%d,%s,'%*.*s',%zu",
key->serial, key->description, data, datalen); key->serial, key->description,
(int)datalen, (int)datalen, data, datalen);
if (datalen <= 1 || !data || data[datalen - 1] != '\0') if (datalen <= 1 || !data || data[datalen - 1] != '\0')
return -EINVAL; return -EINVAL;
...@@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m) ...@@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
seq_printf(m, ": %u", key->datalen); seq_printf(m, ": %u", key->datalen);
} }
/*
* read the DNS data
* - the key's semaphore is read-locked
*/
static long dns_resolver_read(const struct key *key,
char __user *buffer, size_t buflen)
{
if (key->type_data.x[0])
return key->type_data.x[0];
return user_read(key, buffer, buflen);
}
struct key_type key_type_dns_resolver = { struct key_type key_type_dns_resolver = {
.name = "dns_resolver", .name = "dns_resolver",
.instantiate = dns_resolver_instantiate, .instantiate = dns_resolver_instantiate,
...@@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = { ...@@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = {
.revoke = user_revoke, .revoke = user_revoke,
.destroy = user_destroy, .destroy = user_destroy,
.describe = dns_resolver_describe, .describe = dns_resolver_describe,
.read = user_read, .read = dns_resolver_read,
}; };
static int __init init_dns_resolver(void) static int __init init_dns_resolver(void)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment