| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2362714a-4f73-4f5c-b26e-7b88bb408bc8@auristor.com>
Date: Thu, 21 Dec 2023 09:26:20 -0500
From: Jeffrey E Altman <jaltman@...istor.com>
To: David Howells <dhowells@...hat.com>,
Markus Suvanto <markus.suvanto@...il.com>,
Marc Dionne <marc.dionne@...istor.com>
Cc: linux-afs@...ts.infradead.org, keyrings@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 0/3] afs: Fix dynamic root interaction with failing DNS
lookups
On 12/21/2023 8:45 AM, David Howells wrote:
> Hi Markus, Marc,
>
> Here's a set of fixes to improve the interaction of arbitrary lookups in
> the AFS dynamic root that hit DNS lookup failures[1]:
>
> (1) Always delete unused (particularly negative) dentries as soon as
> possible so that they don't prevent future lookups from retrying.
>
> (2) Fix the handling of new-style negative DNS lookups in ->lookup() to
> make them return ENOENT so that userspace doesn't get confused when
> stat succeeds but the following open on the looked up file then fails.
>
> (3) Fix key handling so that DNS lookup results are reclaimed as soon as
> they expire rather than sitting round either forever or for an
> additional 5 mins beyond a set expiry time returning EKEYEXPIRED.
>
> The patches can be found here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes
>
> Thanks,
> David
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 [1]
> Link: https://lore.kernel.org/r/20231211163412.2766147-1-dhowells@redhat.com/ # v1
> Link: https://lore.kernel.org/r/20231211213233.2793525-1-dhowells@redhat.com/ # v2
> Link: https://lore.kernel.org/r/20231212144611.3100234-1-dhowells@redhat.com/ # v3
>
> Changes
> =======
> ver #4)
> - Reduce the negative timeout from 10s to 1s.
>
> ver #3)
> - Rebased to v6.7-rc5 which has an additional afs patch.
> - Don't add to TIME64_MAX (ie. permanent) when checking expiry time.
>
> ver #2)
> - Fix signed-unsigned comparison when checking return val.
>
> David Howells (3):
> afs: Fix the dynamic root's d_delete to always delete unused dentries
> afs: Fix dynamic root lookup DNS check
> keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
> expiry
>
> fs/afs/dynroot.c | 31 +++++++++++++++++--------------
> include/linux/key-type.h | 1 +
> net/dns_resolver/dns_key.c | 10 +++++++++-
> security/keys/gc.c | 31 +++++++++++++++++++++----------
> security/keys/internal.h | 11 ++++++++++-
> security/keys/key.c | 15 +++++----------
> security/keys/proc.c | 2 +-
> 7 files changed, 64 insertions(+), 37 deletions(-)
>
>
> _______________________________________________
> linux-afs mailing list
> http://lists.infradead.org/mailman/listinfo/linux-afs
Reviewed-by: Jeffrey Altman <jaltman@...istor.com>
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4039 bytes)
Powered by blists - more mailing lists