Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b65a0e0c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of... 

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
parents 4438a02f 1362fa07

Documentation/networking/dns_resolver.txt

+8 −1
Original line number Original line Diff line number Diff line
@@ -61,7 +61,6 @@ before the more general line given above as the first match is the one taken. 
	create	dns_resolver  	foo:*	*	/usr/sbin/dns.foo %k

	create	dns_resolver  	foo:*	*	/usr/sbin/dns.foo %k











=====

=====

USAGE

USAGE

=====

=====
@@ -104,6 +103,14 @@ implemented in the module can be called after doing: 
     returned also.

     returned also.









===============================

READING DNS KEYS FROM USERSPACE

===============================



Keys of dns_resolver type can be read from userspace using keyctl_read() or

"keyctl read/print/pipe".





=========

=========

MECHANISM

MECHANISM

=========

=========

net/dns_resolver/dns_key.c

+17 −3
Original line number Original line Diff line number Diff line
@@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen) 
	size_t result_len = 0;

	size_t result_len = 0;

	const char *data = _data, *end, *opt;

	const char *data = _data, *end, *opt;





	kenter("%%%d,%s,'%s',%zu",

	kenter("%%%d,%s,'%*.*s',%zu",

	       key->serial, key->description, data, datalen);

	       key->serial, key->description,

	       (int)datalen, (int)datalen, data, datalen);





	if (datalen <= 1 || !data || data[datalen - 1] != '\0')

	if (datalen <= 1 || !data || data[datalen - 1] != '\0')

		return -EINVAL;

		return -EINVAL;
@@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m) 
		seq_printf(m, ": %u", key->datalen);

		seq_printf(m, ": %u", key->datalen);

}

}





/*

 * read the DNS data

 * - the key's semaphore is read-locked

 */

static long dns_resolver_read(const struct key *key,

			      char __user *buffer, size_t buflen)

{

	if (key->type_data.x[0])

		return key->type_data.x[0];



	return user_read(key, buffer, buflen);

}



struct key_type key_type_dns_resolver = {

struct key_type key_type_dns_resolver = {

	.name		= "dns_resolver",

	.name		= "dns_resolver",

	.instantiate	= dns_resolver_instantiate,

	.instantiate	= dns_resolver_instantiate,
@@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = { 
	.revoke		= user_revoke,

	.revoke		= user_revoke,

	.destroy	= user_destroy,

	.destroy	= user_destroy,

	.describe	= dns_resolver_describe,

	.describe	= dns_resolver_describe,

	.read		= user_read,

	.read		= dns_resolver_read,

};

};





static int __init init_dns_resolver(void)

static int __init init_dns_resolver(void)