4c0c03ca54
Fix the security problem in the CIFS filesystem DNS lookup code in which a
malicious redirect could be installed by a random user by simply adding a
result record into one of their keyrings with add_key() and then invoking a
CIFS CFS lookup [CVE-2010-2524].
This is done by creating an internal keyring specifically for the caching of
DNS lookups. To enforce the use of this keyring, the module init routine
creates a set of override credentials with the keyring installed as the thread
keyring and instructs request_key() to only install lookup result keys in that
keyring.
The override is then applied around the call to request_key().
This has some additional benefits when a kernel service uses this module to
request a key:
(1) The result keys are owned by root, not the user that caused the lookup.
(2) The result keys don't pop up in the user's keyrings.
(3) The result keys don't come out of the quota of the user that caused the
lookup.
The keyring can be viewed as root by doing cat /proc/keys:
2a0ca6c3 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: 1/4
It can then be listed with 'keyctl list' by root.
# keyctl list 0x2a0ca6c3
1 key in keyring:
726766307: --alswrv 0 0 dns_resolver: foo.bar.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-and-Tested-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <smfrench@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
238 lines
5.4 KiB
C
238 lines
5.4 KiB
C
/*
|
|
* fs/cifs/dns_resolve.c
|
|
*
|
|
* Copyright (c) 2007 Igor Mammedov
|
|
* Author(s): Igor Mammedov (niallain@gmail.com)
|
|
* Steve French (sfrench@us.ibm.com)
|
|
*
|
|
* Contains the CIFS DFS upcall routines used for hostname to
|
|
* IP address translation.
|
|
*
|
|
* This library is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published
|
|
* by the Free Software Foundation; either version 2.1 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
|
|
* the GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#include <linux/slab.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/key-type.h>
|
|
#include <keys/user-type.h>
|
|
#include "dns_resolve.h"
|
|
#include "cifsglob.h"
|
|
#include "cifsproto.h"
|
|
#include "cifs_debug.h"
|
|
|
|
static const struct cred *dns_resolver_cache;
|
|
|
|
/* Checks if supplied name is IP address
|
|
* returns:
|
|
* 1 - name is IP
|
|
* 0 - name is not IP
|
|
*/
|
|
static int
|
|
is_ip(char *name)
|
|
{
|
|
struct sockaddr_storage ss;
|
|
|
|
return cifs_convert_address(name, &ss);
|
|
}
|
|
|
|
static int
|
|
dns_resolver_instantiate(struct key *key, const void *data,
|
|
size_t datalen)
|
|
{
|
|
int rc = 0;
|
|
char *ip;
|
|
|
|
ip = kmalloc(datalen + 1, GFP_KERNEL);
|
|
if (!ip)
|
|
return -ENOMEM;
|
|
|
|
memcpy(ip, data, datalen);
|
|
ip[datalen] = '\0';
|
|
|
|
/* make sure this looks like an address */
|
|
if (!is_ip(ip)) {
|
|
kfree(ip);
|
|
return -EINVAL;
|
|
}
|
|
|
|
key->type_data.x[0] = datalen;
|
|
key->payload.data = ip;
|
|
|
|
return rc;
|
|
}
|
|
|
|
static void
|
|
dns_resolver_destroy(struct key *key)
|
|
{
|
|
kfree(key->payload.data);
|
|
}
|
|
|
|
struct key_type key_type_dns_resolver = {
|
|
.name = "dns_resolver",
|
|
.def_datalen = sizeof(struct in_addr),
|
|
.describe = user_describe,
|
|
.instantiate = dns_resolver_instantiate,
|
|
.destroy = dns_resolver_destroy,
|
|
.match = user_match,
|
|
};
|
|
|
|
/* Resolves server name to ip address.
|
|
* input:
|
|
* unc - server UNC
|
|
* output:
|
|
* *ip_addr - pointer to server ip, caller responcible for freeing it.
|
|
* return 0 on success
|
|
*/
|
|
int
|
|
dns_resolve_server_name_to_ip(const char *unc, char **ip_addr)
|
|
{
|
|
const struct cred *saved_cred;
|
|
int rc = -EAGAIN;
|
|
struct key *rkey = ERR_PTR(-EAGAIN);
|
|
char *name;
|
|
char *data = NULL;
|
|
int len;
|
|
|
|
if (!ip_addr || !unc)
|
|
return -EINVAL;
|
|
|
|
/* search for server name delimiter */
|
|
len = strlen(unc);
|
|
if (len < 3) {
|
|
cFYI(1, "%s: unc is too short: %s", __func__, unc);
|
|
return -EINVAL;
|
|
}
|
|
len -= 2;
|
|
name = memchr(unc+2, '\\', len);
|
|
if (!name) {
|
|
cFYI(1, "%s: probably server name is whole unc: %s",
|
|
__func__, unc);
|
|
} else {
|
|
len = (name - unc) - 2/* leading // */;
|
|
}
|
|
|
|
name = kmalloc(len+1, GFP_KERNEL);
|
|
if (!name) {
|
|
rc = -ENOMEM;
|
|
return rc;
|
|
}
|
|
memcpy(name, unc+2, len);
|
|
name[len] = 0;
|
|
|
|
if (is_ip(name)) {
|
|
cFYI(1, "%s: it is IP, skipping dns upcall: %s",
|
|
__func__, name);
|
|
data = name;
|
|
goto skip_upcall;
|
|
}
|
|
|
|
saved_cred = override_creds(dns_resolver_cache);
|
|
rkey = request_key(&key_type_dns_resolver, name, "");
|
|
revert_creds(saved_cred);
|
|
if (!IS_ERR(rkey)) {
|
|
if (!(rkey->perm & KEY_USR_VIEW)) {
|
|
down_read(&rkey->sem);
|
|
rkey->perm |= KEY_USR_VIEW;
|
|
up_read(&rkey->sem);
|
|
}
|
|
len = rkey->type_data.x[0];
|
|
data = rkey->payload.data;
|
|
} else {
|
|
cERROR(1, "%s: unable to resolve: %s", __func__, name);
|
|
goto out;
|
|
}
|
|
|
|
skip_upcall:
|
|
if (data) {
|
|
*ip_addr = kmalloc(len + 1, GFP_KERNEL);
|
|
if (*ip_addr) {
|
|
memcpy(*ip_addr, data, len + 1);
|
|
if (!IS_ERR(rkey))
|
|
cFYI(1, "%s: resolved: %s to %s", __func__,
|
|
name,
|
|
*ip_addr
|
|
);
|
|
rc = 0;
|
|
} else {
|
|
rc = -ENOMEM;
|
|
}
|
|
if (!IS_ERR(rkey))
|
|
key_put(rkey);
|
|
}
|
|
|
|
out:
|
|
kfree(name);
|
|
return rc;
|
|
}
|
|
|
|
int __init cifs_init_dns_resolver(void)
|
|
{
|
|
struct cred *cred;
|
|
struct key *keyring;
|
|
int ret;
|
|
|
|
printk(KERN_NOTICE "Registering the %s key type\n",
|
|
key_type_dns_resolver.name);
|
|
|
|
/* create an override credential set with a special thread keyring in
|
|
* which DNS requests are cached
|
|
*
|
|
* this is used to prevent malicious redirections from being installed
|
|
* with add_key().
|
|
*/
|
|
cred = prepare_kernel_cred(NULL);
|
|
if (!cred)
|
|
return -ENOMEM;
|
|
|
|
keyring = key_alloc(&key_type_keyring, ".dns_resolver", 0, 0, cred,
|
|
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
KEY_USR_VIEW | KEY_USR_READ,
|
|
KEY_ALLOC_NOT_IN_QUOTA);
|
|
if (IS_ERR(keyring)) {
|
|
ret = PTR_ERR(keyring);
|
|
goto failed_put_cred;
|
|
}
|
|
|
|
ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL);
|
|
if (ret < 0)
|
|
goto failed_put_key;
|
|
|
|
ret = register_key_type(&key_type_dns_resolver);
|
|
if (ret < 0)
|
|
goto failed_put_key;
|
|
|
|
/* instruct request_key() to use this special keyring as a cache for
|
|
* the results it looks up */
|
|
cred->thread_keyring = keyring;
|
|
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
|
|
dns_resolver_cache = cred;
|
|
return 0;
|
|
|
|
failed_put_key:
|
|
key_put(keyring);
|
|
failed_put_cred:
|
|
put_cred(cred);
|
|
return ret;
|
|
}
|
|
|
|
void __exit cifs_exit_dns_resolver(void)
|
|
{
|
|
key_revoke(dns_resolver_cache->thread_keyring);
|
|
unregister_key_type(&key_type_dns_resolver);
|
|
put_cred(dns_resolver_cache);
|
|
printk(KERN_NOTICE "Unregistered %s key type\n",
|
|
key_type_dns_resolver.name);
|
|
}
|