rpms/kernel/F-13 cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch, NONE, 1.1.2.2 kernel.spec, 1.2084, 1.2084.2.1
Chuck Ebbert
cebbert at fedoraproject.org
Fri Jul 23 15:44:00 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv32457
Modified Files:
Tag: private-f13-2_6_33
kernel.spec
Added Files:
Tag: private-f13-2_6_33
cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch
Log Message:
cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch:
Fix a malicious redirect problem in the DNS lookup code (CVE-2010-2524)
cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch:
cifsfs.c | 6 ++---
dns_resolve.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
dns_resolve.h | 4 +--
3 files changed, 74 insertions(+), 5 deletions(-)
--- NEW FILE cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch ---
From: David Howells <dhowells at redhat.com>
Date: Thu, 22 Jul 2010 11:53:18 +0000 (+0100)
Subject: CIFS: Fix a malicious redirect problem in the DNS lookup code
X-Git-Tag: v2.6.35-rc6~6
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7
CIFS: Fix a malicious redirect problem in the DNS lookup code
[ trivial backport to 2.6.3[23] : cebbert at redhat.com ]
Fix the security problem in the CIFS filesystem DNS lookup code in which a
malicious redirect could be installed by a random user by simply adding a
result record into one of their keyrings with add_key() and then invoking a
CIFS CFS lookup [CVE-2010-2524].
This is done by creating an internal keyring specifically for the caching of
DNS lookups. To enforce the use of this keyring, the module init routine
creates a set of override credentials with the keyring installed as the thread
keyring and instructs request_key() to only install lookup result keys in that
keyring.
The override is then applied around the call to request_key().
This has some additional benefits when a kernel service uses this module to
request a key:
(1) The result keys are owned by root, not the user that caused the lookup.
(2) The result keys don't pop up in the user's keyrings.
(3) The result keys don't come out of the quota of the user that caused the
lookup.
The keyring can be viewed as root by doing cat /proc/keys:
2a0ca6c3 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: 1/4
It can then be listed with 'keyctl list' by root.
# keyctl list 0x2a0ca6c3
1 key in keyring:
726766307: --alswrv 0 0 dns_resolver: foo.bar.com
Signed-off-by: David Howells <dhowells at redhat.com>
Reviewed-and-Tested-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <smfrench at gmail.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 484e52b..2cb1a70 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -923,7 +923,7 @@ init_cifs(void)
goto out_unregister_filesystem;
#endif
#ifdef CONFIG_CIFS_DFS_UPCALL
- rc = register_key_type(&key_type_dns_resolver);
+ rc = cifs_init_dns_resolver();
if (rc)
goto out_unregister_key_type;
#endif
@@ -935,7 +935,7 @@ init_cifs(void)
out_unregister_resolver_key:
#ifdef CONFIG_CIFS_DFS_UPCALL
- unregister_key_type(&key_type_dns_resolver);
+ cifs_exit_dns_resolver();
out_unregister_key_type:
#endif
#ifdef CONFIG_CIFS_UPCALL
@@ -961,7 +961,7 @@ exit_cifs(void)
cifs_proc_clean();
#ifdef CONFIG_CIFS_DFS_UPCALL
cifs_dfs_release_automount_timer();
- unregister_key_type(&key_type_dns_resolver);
+ cifs_exit_dns_resolver();
#endif
#ifdef CONFIG_CIFS_UPCALL
unregister_key_type(&cifs_spnego_key_type);
diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c
index 4db2c5e..49315cb 100644
--- a/fs/cifs/dns_resolve.c
+++ b/fs/cifs/dns_resolve.c
@@ -24,12 +24,16 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
+#include <linux/keyctl.h>
+#include <linux/key-type.h>
#include <keys/user-type.h>
#include "dns_resolve.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_debug.h"
+static const struct cred *dns_resolver_cache;
+
/* Checks if supplied name is IP address
* returns:
* 1 - name is IP
@@ -94,6 +98,7 @@ struct key_type key_type_dns_resolver = {
int
dns_resolve_server_name_to_ip(const char *unc, char **ip_addr)
{
+ const struct cred *saved_cred;
int rc = -EAGAIN;
struct key *rkey = ERR_PTR(-EAGAIN);
char *name;
@@ -133,8 +138,15 @@ dns_resolve_server_name_to_ip(const char *unc, char **ip_addr)
goto skip_upcall;
}
+ saved_cred = override_creds(dns_resolver_cache);
rkey = request_key(&key_type_dns_resolver, name, "");
+ revert_creds(saved_cred);
if (!IS_ERR(rkey)) {
+ if (!(rkey->perm & KEY_USR_VIEW)) {
+ down_read(&rkey->sem);
+ rkey->perm |= KEY_USR_VIEW;
+ up_read(&rkey->sem);
+ }
len = rkey->type_data.x[0];
data = rkey->payload.data;
} else {
@@ -165,4 +177,61 @@ out:
return rc;
}
+int __init cifs_init_dns_resolver(void)
+{
+ struct cred *cred;
+ struct key *keyring;
+ int ret;
+
+ printk(KERN_NOTICE "Registering the %s key type\n",
+ key_type_dns_resolver.name);
+
+ /* create an override credential set with a special thread keyring in
+ * which DNS requests are cached
+ *
+ * this is used to prevent malicious redirections from being installed
+ * with add_key().
+ */
+ cred = prepare_kernel_cred(NULL);
+ if (!cred)
+ return -ENOMEM;
+
+ keyring = key_alloc(&key_type_keyring, ".dns_resolver", 0, 0, cred,
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA);
+ if (IS_ERR(keyring)) {
+ ret = PTR_ERR(keyring);
+ goto failed_put_cred;
+ }
+
+ ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL);
+ if (ret < 0)
+ goto failed_put_key;
+
+ ret = register_key_type(&key_type_dns_resolver);
+ if (ret < 0)
+ goto failed_put_key;
+
+ /* instruct request_key() to use this special keyring as a cache for
+ * the results it looks up */
+ cred->thread_keyring = keyring;
+ cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ dns_resolver_cache = cred;
+ return 0;
+
+failed_put_key:
+ key_put(keyring);
+failed_put_cred:
+ put_cred(cred);
+ return ret;
+}
+void __exit cifs_exit_dns_resolver(void)
+{
+ key_revoke(dns_resolver_cache->thread_keyring);
+ unregister_key_type(&key_type_dns_resolver);
+ put_cred(dns_resolver_cache);
+ printk(KERN_NOTICE "Unregistered %s key type\n",
+ key_type_dns_resolver.name);
+}
diff --git a/fs/cifs/dns_resolve.h b/fs/cifs/dns_resolve.h
index 966e928..26b9eaa 100644
--- a/fs/cifs/dns_resolve.h
+++ b/fs/cifs/dns_resolve.h
@@ -24,8 +24,8 @@
#define _DNS_RESOLVE_H
#ifdef __KERNEL__
-#include <linux/key-type.h>
-extern struct key_type key_type_dns_resolver;
+extern int __init cifs_init_dns_resolver(void);
+extern void __exit cifs_exit_dns_resolver(void);
extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr);
#endif /* KERNEL */
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-13/kernel.spec,v
retrieving revision 1.2084
retrieving revision 1.2084.2.1
diff -u -p -r1.2084 -r1.2084.2.1
--- kernel.spec 6 Jul 2010 22:04:50 -0000 1.2084
+++ kernel.spec 23 Jul 2010 15:43:58 -0000 1.2084.2.1
@@ -864,6 +864,8 @@ Patch13040: ethtool-fix-buffer-overflow.
Patch13050: x86-debug-clear-reserved-bits-of-dr6.patch
Patch13060: x86-debug-send-sigtrap-for-user-icebp.patch
+Patch13070: cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1579,6 +1581,9 @@ ApplyPatch ethtool-fix-buffer-overflow.p
ApplyPatch x86-debug-clear-reserved-bits-of-dr6.patch
ApplyPatch x86-debug-send-sigtrap-for-user-icebp.patch
+# CVE-2010-2524
+ApplyPatch cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2227,6 +2232,10 @@ fi
%changelog
+* Fri Jul 23 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.33.6-147.2.1
+- cifs-fix-malicious-redirect-problem-in-the-dns-lookup-code.patch:
+ Fix a malicious redirect problem in the DNS lookup code (CVE-2010-2524)
+
* Tue Jul 06 2010 Jarod Wilson <jarod at redhat.com> 2.6.33.6-147
- Really make hdpvr i2c IR part register this time, so something can
actually be bound to it (like, say, lirc_zilog)
More information about the scm-commits
mailing list