linux/Documentation
David Howells 1362fa078d DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].

Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.

Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.

The buggy code was added in:

	commit 4a2d789267
	Author: Wang Lei <wang840925@gmail.com>
	Date:   Wed Aug 11 09:37:58 2010 +0100
	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]

This can trivially be reproduced by any user with the following program
compiled with -lkeyutils:

	#include <stdlib.h>
	#include <keyutils.h>
	#include <err.h>
	static char payload[] = "#dnserror=6";
	int main()
	{
		key_serial_t key;
		key = add_key("dns_resolver", "a", payload, sizeof(payload),
			      KEY_SPEC_SESSION_KEYRING);
		if (key == -1)
			err(1, "add_key");
		if (keyctl_read(key, NULL, 0) == -1)
			err(1, "read_key");
		return 0;
	}

What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:

	dns-break: read_key: No such device or address

but instead the kernel oopses.

This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data.  Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.

The oops looks like:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
PGD 3bdf8067 PUD 385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:

Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
Stack:
 ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
 [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
 RSP <ffff88003bf47f08>
CR2: 0000000000000010

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
2011-03-04 09:56:19 +11:00
..
ABI Merge branch 'can/at91_can-for-net-2.6' of git://git.pengutronix.de/git/mkl/linux-2.6 2011-01-24 15:16:11 -08:00
accounting taskstats: pad taskstats netlink response for aligment issues on ia64 2010-12-22 19:43:34 -08:00
acpi ACPI, APEI, Add APEI generic error status printing support 2010-12-13 23:42:12 -05:00
aoe Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
arm Revert "dt: add documentation of ARM dt boot interface" 2011-02-14 08:13:20 -07:00
auxdisplay includecheck fix: Documentation, cfag12864b-example.c 2009-09-24 07:20:57 -07:00
blackfin Blackfin: document SPI CS limitations with CPHA=0 2010-08-06 12:55:52 -04:00
block Documentation: remove anticipatory scheduler info 2010-11-11 12:09:59 +01:00
blockdev Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
cdrom Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
cgroups revert documentaion update for memcg's dirty ratio. 2011-01-14 07:52:02 -08:00
connector Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
console doc: fix console doc typo 2010-02-24 13:51:32 +01:00
cpu-freq [CPUFREQ] Processor Clocking Control interface driver 2010-01-13 10:55:16 -05:00
cpuidle
cris
crypto async_tx: add support for asynchronous RAID6 recovery operations 2009-08-29 19:09:27 -07:00
development-process Documentation/development-process: more staging info 2010-11-18 15:00:47 -08:00
device-mapper dm: raid456 basic support 2011-01-13 20:00:02 +00:00
devicetree Revert "dt: add documentation of ARM dt boot interface" 2011-02-14 08:13:20 -07:00
DocBook Docbook: add fs/eventfd.c and fix typos in it 2011-02-21 15:07:04 -08:00
driver-model driver core: prune docs about device_interface 2010-11-10 16:57:11 -08:00
dvb [media] Documentation/lmedm04: Fix firmware extract information 2010-12-29 08:16:30 -02:00
early-userspace
fault-injection lkdtm: add debugfs access and loosen KPROBE ties 2010-03-06 11:26:32 -08:00
fb Merge branch 'fbdev/udlfb' 2011-01-06 18:10:09 +09:00
filesystems NTFS: Fix invalid pointer dereference in ntfs_mft_record_alloc(). 2011-01-31 12:58:11 +10:00
firmware_class firmware: Update hotplug script 2010-08-05 13:53:34 -07:00
frv
hwmon hwmon: (k10temp) add support for AMD Family 12h/14h CPUs 2011-02-18 06:14:24 -08:00
i2c i2c: Add generic I2C multiplexer using GPIO API 2011-01-10 22:11:23 +01:00
i2o
ia64 Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
ide ide: preserve Host Protected Area by default (v2) 2009-06-07 13:52:52 +02:00
infiniband Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
input Input: fix force feedback capability query example 2011-01-11 01:07:55 -08:00
ioctl pps: add kernel consumer support 2011-01-13 08:03:21 -08:00
isdn Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-08-04 15:31:02 -07:00
ja_JP Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
kbuild Merge branch 'next-devicetree' of git://git.secretlab.ca/git/linux-2.6 2011-01-10 08:57:03 -08:00
kdump kdump: update kexec-tools URL and Vivek's email 2010-11-25 14:36:38 +01:00
ko_KR Docs/Kconfig: Update: osdl.org -> linuxfoundation.org 2010-11-15 23:50:13 +01:00
kvm Merge branch 'kvm-updates/2.6.38' of git://git.kernel.org/pub/scm/virt/kvm/kvm 2011-01-13 10:14:24 -08:00
laptops thinkpad-acpi: untangle ACPI/vendor backlight selection 2010-08-16 11:54:50 -04:00
leds Documentation: led drivers lp5521 and lp5523 2010-11-12 07:55:32 -08:00
lguest lguest: document --rng in example Launcher 2011-01-20 21:37:29 +10:30
m68k
make kbuild: introduce HDR_ARCH_LIST for headers_install_all 2010-12-14 22:16:19 +01:00
mips ide: remove unused CONFIG_BLK_DEV_IDE_AU1XXX_SEQTS_PER_RQ 2009-01-14 19:19:03 +01:00
misc-devices Documentation: short descriptions for bh1770glc and apds990x drivers 2010-10-26 16:52:14 -07:00
mmc mmc: add erase, secure erase, trim and secure trim operations 2010-08-12 08:43:30 -07:00
mn10300 trivial: Miscellaneous documentation typo fixes 2009-06-12 18:01:47 +02:00
mtd Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
namespaces
netlabel Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
networking DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
nfc NFC: Driver for NXP Semiconductors PN544 NFC chip. 2011-01-13 08:03:19 -08:00
parisc
PCI Documentation: pci.txt: fix typo 2010-07-11 22:17:45 +02:00
pcmcia pcmcia: use autoconfiguration feature for ioports and iomem 2010-09-29 17:20:24 +02:00
power PM: Fix references to basic-pm-debugging.txt in drivers-testing.txt 2010-12-24 15:02:41 +01:00
powerpc dt: Move device tree documentation out of powerpc directory 2011-01-31 00:09:01 -07:00
pps pps: add parallel port PPS signal generator 2011-01-13 08:03:21 -08:00
prctl
RCU rcu: update documentation/comments for Lai's adoption patch 2010-11-29 22:01:59 -08:00
s390 Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
scheduler sched, docs: Update schedstats documentation to version 15 2011-02-01 09:07:13 +01:00
scsi Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
serial pps: timestamp is always passed to dcd_change() 2011-01-13 08:03:20 -08:00
sh sh: clkfwk: Kill off unused clk_set_rate_ex(). 2010-11-15 18:25:12 +09:00
sound ALSA: HDA: Add a new model "asus" for Conexant 5066/205xx 2011-01-22 17:29:22 +01:00
sparc
spi arm/pxa2xx: reorgazine SSP and SPI header files 2010-12-01 12:18:33 +01:00
sysctl sysctl: remove obsolete comments 2011-01-13 08:03:18 -08:00
target [SCSI] target: Add LIO target core v4.0.0-rc6 2011-01-14 10:12:29 -06:00
telephony Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
thermal thermal: Add event notification to thermal framework 2011-01-12 00:08:35 -05:00
timers tree-wide: fix comment/printk typos 2010-11-01 15:38:34 -04:00
trace Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
uml Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
usb USB: use the runtime-PM autosuspend implementation 2010-11-16 14:03:41 -08:00
video4linux [media] v4l2-ctrls: v4l2_ctrl_handler_setup must set is_new to 1 2011-01-19 11:45:32 -02:00
vm thp: transparent hugepage support documentation 2011-01-13 17:32:38 -08:00
w1 w1: DS2423 counter driver and documentation 2011-01-13 08:03:22 -08:00
watchdog watchdog: docs: add an entry for imx2_wdt 2010-07-01 16:02:55 +00:00
wimax i2400m: documentation and instructions for usage 2009-01-07 10:00:18 -08:00
x86 x86: support XZ-compressed kernel 2011-01-13 08:03:25 -08:00
zh_CN Docs/Kconfig: Update: osdl.org -> linuxfoundation.org 2010-11-15 23:50:13 +01:00
.gitignore add random binaries to .gitignore 2010-04-08 11:34:34 +02:00
00-INDEX mmc: add erase, secure erase, trim and secure trim operations 2010-08-12 08:43:30 -07:00
apparmor.txt AppArmor: update Maintainer and Documentation 2010-08-02 15:35:15 +10:00
applying-patches.txt
atomic_ops.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
bad_memory.txt
basic_profiling.txt
binfmt_misc.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
braille-console.txt trivial: Miscellaneous documentation typo fixes 2009-06-12 18:01:47 +02:00
bt8xxgpio.txt
btmrvl.txt Bluetooth: Add documentation for Marvell Bluetooth driver 2009-08-22 14:25:32 -07:00
BUG-HUNTING
bus-virt-phys-mapping.txt documentation: fix almost duplicate filenames (IO/io-mapping.txt) 2010-07-20 17:49:30 +00:00
cachetlb.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
Changes Documentation update broken web addresses 2010-07-11 21:55:42 +02:00
circular-buffers.txt Document Linux's circular buffering capabilities 2010-03-24 16:31:22 -07:00
coccinelle.txt scripts/coccinelle: update for compatability with Coccinelle 0.2.4 2010-12-03 12:27:01 +01:00
CodingStyle trivial: fix typo milisecond/millisecond for documentation and source comments. 2009-06-12 18:01:46 +02:00
cpu-hotplug.txt documentation: fix erroneous email address. 2010-08-11 23:04:10 +09:30
cpu-load.txt
cputopology.txt topology/sysfs: Provide book id and siblings attributes 2010-09-09 20:41:25 +02:00
credentials.txt CRED: Fix __task_cred()'s lockdep check and banner comment 2010-07-29 15:16:18 -07:00
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt ieee1394: update URLs in debugging-via-ohci1394.txt 2009-10-03 09:28:11 +02:00
dell_rbu.txt trivial: Documentation/dell_rbu.txt: fix typos 2009-06-12 18:01:50 +02:00
devices.txt Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2010-10-28 09:35:11 -07:00
DMA-API-HOWTO.txt Documentation: DMA-API-HOWTO.txt: rename ARCH_KMALLOC_MINALIGN to ARCH_DMA_MINALIGN 2010-08-14 11:56:46 -07:00
DMA-API.txt dma-mapping: remove dma_is_consistent API 2010-08-11 08:59:21 -07:00
DMA-attributes.txt
DMA-ISA-LPC.txt
dmaengine.txt async_tx, dmaengine: document channel allocation and api rework 2009-01-05 18:10:19 -07:00
dontdiff Documentation/dontdiff: add further autogenerated files to ignore list 2011-01-06 09:59:37 -08:00
dynamic-debug-howto.txt Dynamic Debug: Introduce ddebug_query= boot parameter 2010-10-22 10:16:42 -07:00
edac.txt EDAC: Fix typos in Documentation/edac.txt 2010-11-25 17:32:47 +01:00
eisa.txt doc: fix Defaultd -> Defaults typo in EISA doc 2010-02-05 12:22:39 +01:00
email-clients.txt Documentation/email-clients.txt: update Thunderbird docs with wordwrap plugin 2011-01-13 08:03:15 -08:00
feature-removal-schedule.txt memsw: deprecate noswapaccount kernel parameter and schedule it for removal 2011-02-02 16:03:18 -08:00
flexible-arrays.txt Update flex_arrays.txt 2009-10-15 07:25:20 -06:00
futex-requeue-pi.txt futex: add requeue-pi documentation 2009-05-09 07:12:50 +02:00
gcov.txt trivial: fix typo in CONFIG_DEBUG_FS in gcov doc 2009-09-21 15:14:56 +02:00
gpio.txt Revert "gpiolib: annotate gpio-intialization with __must_check" 2011-01-13 17:26:46 -08:00
highuid.txt
HOWTO Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
hw_random.txt
init.txt init/main.c: improve usability in case of init binary failure 2010-03-06 11:26:29 -08:00
initrd.txt
intel_txt.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
Intel-IOMMU.txt intel-iommu: Kill DMAR_BROKEN_GFX_WA option. 2009-09-19 09:37:23 -07:00
io_ordering.txt
io-mapping.txt
iostats.txt remove extraneous 'is' from Documentation/iostats.txt 2011-01-03 14:00:28 +01:00
IPMI.txt IPMI: Add the document description of ipmi_get_smi_info 2010-12-14 00:22:00 -05:00
IRQ-affinity.txt
IRQ.txt
irqflags-tracing.txt
isapnp.txt
java.txt
kernel-doc-nano-HOWTO.txt docbook: warn on unused doc entries 2010-09-11 16:49:21 -07:00
kernel-docs.txt Documentation: update kernel-docs.txt 2011-01-06 09:59:38 -08:00
kernel-parameters.txt Documentation: log_buf_len uses [KMG] suffix 2011-02-21 15:07:04 -08:00
keys-request-key.txt
keys-trusted-encrypted.txt keys: add new trusted key-type 2010-11-29 08:55:25 +11:00
keys.txt KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] 2009-09-02 21:29:22 +10:00
kmemcheck.txt kmemcheck: update documentation 2009-07-01 22:36:22 +02:00
kmemleak.txt kmemleak: add clear command support 2009-09-08 16:36:08 +01:00
kobject.txt kobject: documentation: Update to refer to kset-example.c. 2010-03-19 07:12:20 -07:00
kprobes.txt tree-wide: fix comment/printk typos 2010-11-01 15:38:34 -04:00
kref.txt kref: double kref_put() in my_data_handler() 2009-09-18 09:48:52 -07:00
ldm.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
leds-class.txt led-class: always implement blinking 2010-11-12 07:55:32 -08:00
leds-lp3944.txt leds: LED driver for National Semiconductor LP3944 Funlight Chip 2009-06-23 20:21:38 +01:00
local_ops.txt trivial: Miscellaneous documentation typo fixes 2009-06-12 18:01:47 +02:00
lockdep-design.txt lockdep: Fix typos in documentation 2009-08-07 12:03:46 +02:00
lockstat.txt lockstat: Add usage info to Documentation/lockstat.txt 2009-12-06 13:20:02 +01:00
logo.gif Revert "linux.conf.au 2009: Tuz" 2009-04-27 12:00:27 -07:00
logo.txt Revert "linux.conf.au 2009: Tuz" 2009-04-27 12:00:27 -07:00
magic-number.txt take coda-private headers out of include/linux 2011-01-12 20:02:48 -05:00
Makefile [media] Remove the old V4L1 v4lgrab.c file 2010-12-29 08:17:12 -02:00
ManagementStyle
mca.txt
md.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
memory-barriers.txt Document Linux's circular buffering capabilities 2010-03-24 16:31:22 -07:00
memory-hotplug.txt mm: add numa node symlink for memory section in sysfs 2009-12-15 08:53:17 -08:00
memory.txt Documentation/memory.txt: remove some very outdated recommendations 2009-09-22 07:17:26 -07:00
mono.txt
mutex-design.txt mutex: Fix annotations to include it in kernel-locking docbook 2010-09-03 08:19:51 +02:00
nmi_watchdog.txt
nommu-mmap.txt nommu: fix malloc performance by adding uninitialized flag 2009-12-15 08:53:24 -08:00
numastat.txt mm: fix NUMA accounting in numastat.txt 2009-09-22 07:17:39 -07:00
oops-tracing.txt panic: Add taint flag TAINT_FIRMWARE_WORKAROUND ('I') 2010-05-19 08:37:43 +01:00
padata.txt Documentation/padata.txt: fix typos etc. 2010-08-11 08:59:18 -07:00
parport-lowlevel.txt
parport.txt
pi-futex.txt
pnp.txt doc: capitalization and other minor fixes in pnp doc 2010-02-05 12:22:44 +01:00
preempt-locking.txt
printk-formats.txt
prio_tree.txt
rbtree.txt Documentation: remove anticipatory scheduler info 2010-11-11 12:09:59 +01:00
rfkill.txt Document the rfkill sysfs ABI 2010-03-10 17:09:33 -05:00
robust-futex-ABI.txt futex: documentation: fix inconsistent description of futex list_op_pending 2009-06-18 13:03:56 -07:00
robust-futexes.txt
rt-mutex-design.txt variable name fix to Documentation/rt-mutex-design.txt 2010-06-05 17:39:09 +02:00
rt-mutex.txt
rtc.txt rtc: add boot_timesource sysfs attribute 2009-09-23 07:39:46 -07:00
SAK.txt
SecurityBugs
SELinux.txt
serial-console.txt
sgi-ioc4.txt
sgi-visws.txt
SM501.txt trivial: Miscellaneous documentation typo fixes 2009-06-12 18:01:47 +02:00
Smack.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
sparse.txt update email address 2010-07-19 10:56:54 +02:00
spinlocks.txt Documentation: rw_lock lessons learned 2009-12-14 09:46:56 -08:00
stable_api_nonsense.txt
stable_kernel_rules.txt Documentation: -stable rules: upstream commit ID requirement reworded 2010-04-22 15:24:56 -07:00
SubmitChecklist Documentation: update SubmitChecklist for O=objdir and kconfig testing 2010-05-24 07:31:20 -07:00
SubmittingDrivers Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
SubmittingPatches SubmittingPatches: add more about patch descriptions 2010-08-09 20:45:05 -07:00
svga.txt
sysfs-rules.txt Fix typos in comments 2010-03-16 11:47:56 +01:00
sysrq.txt documentation: update sysrq.txt magic sysrq keys 2010-10-26 17:32:41 -07:00
tomoyo.txt TOMOYO: Update version to 2.3.0 2010-08-02 15:35:10 +10:00
unaligned-memory-access.txt
unicode.txt
unshare.txt
VGA-softcursor.txt
vgaarbiter.txt vgaarbiter: fix a typo in the vgaarbiter Documentation 2009-12-16 11:28:58 -08:00
video-output.txt
volatile-considered-harmful.txt Documentation/volatile-considered-harmful.txt: correct cpu_relax() documentation 2010-03-24 16:31:20 -07:00
workqueue.txt workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' 2011-02-16 17:48:59 +01:00
xz.txt decompressors: add XZ decompressor module 2011-01-13 08:03:24 -08:00
zorro.txt