lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Jan 2024 19:06:24 +0800
From: Pengfei Xu <pengfei.xu@...el.com>
To: David Howells <dhowells@...hat.com>
CC: <eadavis@...com>, Linus Torvalds <torvalds@...ux-foundation.org>, "Simon
 Horman" <horms@...nel.org>, Markus Suvanto <markus.suvanto@...il.com>,
	"Jeffrey E Altman" <jaltman@...istor.com>, Marc Dionne
	<marc.dionne@...istor.com>, "Wang Lei" <wang840925@...il.com>, Jeff Layton
	<jlayton@...hat.com>, Steve French <smfrench@...il.com>, Jarkko Sakkinen
	<jarkko@...nel.org>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, <linux-afs@...ts.infradead.org>,
	<keyrings@...r.kernel.org>, <linux-cifs@...r.kernel.org>,
	<linux-nfs@...r.kernel.org>, <ceph-devel@...r.kernel.org>,
	<netdev@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <heng.su@...el.com>
Subject: Re: [PATCH] keys, dns: Fix missing size check of V1 server-list
 header

On 2024-01-10 at 10:14:28 +0000, David Howells wrote:
> Pengfei Xu <pengfei.xu@...el.com> wrote:
> 
> >   Bisected info between v6.7-rc7(keyctl05 passed) and v6.7-rc8(keyctl05 failed)
> > is in attached.
> > 
> > keyctl05 failed in add_key with type "dns_resolver" syscall step tracked
> > by strace:
> > "
> > [pid 863107] add_key("dns_resolver", "desc", "\0\0\1\377\0", 5, KEY_SPEC_SESSION_KEYRING <unfinished ...>
> > [pid 863106] <... alarm resumed>)       = 30
> > [pid 863107] <... add_key resumed>)     = -1 EINVAL (Invalid argument)
> > "
> 
> It should fail as the payload is actually invalid.  The payload specifies a
> version 1 format - and that requires a 6-byte header.  The bug the patched
> fixes is that whilst there is a length check for the basic 3-byte header,
> there was no length check for the extended v1 header.

Thanks for description!

> 
> > After increased the dns_res_payload to 7 bytes(6 bytes was still failed),
> 
> The following doesn't work for you?
> 
> 	echo -n -e '\0\0\01\xff\0\0' | keyctl padd dns_resolver desc @p

I tried as follows, 6 bytes failed and 7 bytes passed:
"
# echo -n -e '\0\0\01\xff\0\0' | keyctl padd dns_resolver desc @p
add_key: Invalid argument
# echo -n -e '\0\0\01\xff\0\0\0' | keyctl padd dns_resolver desc @p
74678921
# uname -r
6.7.0-rc8
"

Thanks!

> 
> David
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ