UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
This commit is contained in:
Linus Torvalds 2011-03-03 15:48:01 -08:00
parent 4438a02fc4 1362fa078d
commit b65a0e0c84
2 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Documentation/networking/dns_resolver.txt
View File

@ -61,7 +61,6 @@ before the more general line given above as the first match is the one taken.
create dns_resolver foo:* * /usr/sbin/dns.foo %k create dns_resolver foo:* * /usr/sbin/dns.foo %k
===== =====
USAGE USAGE
===== =====
@ -104,6 +103,14 @@ implemented in the module can be called after doing:
returned also. returned also.
===============================
READING DNS KEYS FROM USERSPACE
===============================
Keys of dns_resolver type can be read from userspace using keyctl_read() or
"keyctl read/print/pipe".
========= =========
MECHANISM MECHANISM
========= =========

20
net/dns_resolver/dns_key.c
View File

@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen)
size_t result_len = 0; size_t result_len = 0;
const char *data = _data, *end, *opt; const char *data = _data, *end, *opt;
kenter("%%%d,%s,'%s',%zu", kenter("%%%d,%s,'%*.*s',%zu",
key->serial, key->description, data, datalen); key->serial, key->description,
(int)datalen, (int)datalen, data, datalen);
if (datalen <= 1 || !data || data[datalen - 1] != '\0') if (datalen <= 1 || !data || data[datalen - 1] != '\0')
return -EINVAL; return -EINVAL;
@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
seq_printf(m, ": %u", key->datalen); seq_printf(m, ": %u", key->datalen);
} }
/*
* read the DNS data
* - the key's semaphore is read-locked
*/
static long dns_resolver_read(const struct key *key,
char __user *buffer, size_t buflen)
{
if (key->type_data.x[0])
return key->type_data.x[0];
return user_read(key, buffer, buflen);
}
struct key_type key_type_dns_resolver = { struct key_type key_type_dns_resolver = {
.name = "dns_resolver", .name = "dns_resolver",
.instantiate = dns_resolver_instantiate, .instantiate = dns_resolver_instantiate,
@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = {
.revoke = user_revoke, .revoke = user_revoke,
.destroy = user_destroy, .destroy = user_destroy,
.describe = dns_resolver_describe, .describe = dns_resolver_describe,
.read = user_read, .read = dns_resolver_read,
}; };
static int __init init_dns_resolver(void) static int __init init_dns_resolver(void)