)]}' { "log": [ { "commit": "78b7280cce23293f7570ad52c1ffe1485c6d9669", "tree": "f3051c5fe69cb41e88f9470dead8534dda3e94e0", "parents": [ "c151694b2c48d956ac8c8c59c6927f89cc29ef70" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:23 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:32 2011 +1100" }, "message": "KEYS: Improve /proc/keys\n\nImprove /proc/keys by:\n\n (1) Don\u0027t attempt to summarise the payload of a negated key. It won\u0027t have\n one. To this end, a helper function - key_is_instantiated() has been\n added that allows the caller to find out whether the key is positively\n instantiated (as opposed to being uninstantiated or negatively\n instantiated).\n\n (2) Do show keys that are negative, expired or revoked rather than hiding\n them. This requires an override flag (no_state_check) to be passed to\n search_my_process_keyrings() and keyring_search_aux() to suppress this\n check.\n\n Without this, keys that are possessed by the caller, but only grant\n permissions to the caller if possessed are skipped as the possession check\n fails.\n\n Keys that are visible due to user, group or other checks are visible with\n or without this patch.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1362fa078dae16776cd439791c6605b224ea6171", "tree": "76738a2137f8dd2e0064d8e74ff4c6e72def2e05", "parents": [ "dd9c1549edef02290edced639f67b54a25abbe0e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Mar 03 11:28:58 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 04 09:56:19 2011 +1100" }, "message": "DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]\n\nWhen a DNS resolver key is instantiated with an error indication, attempts to\nread that key will result in an oops because user_read() is expecting there to\nbe a payload - and there isn\u0027t one [CVE-2011-1076].\n\nGive the DNS resolver key its own read handler that returns the error cached in\nkey-\u003etype_data.x[0] as an error rather than crashing.\n\nAlso make the kenter() at the beginning of dns_resolver_instantiate() limit the\namount of data it prints, since the data is not necessarily NUL-terminated.\n\nThe buggy code was added in:\n\n\tcommit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09\n\tAuthor: Wang Lei \u003cwang840925@gmail.com\u003e\n\tDate: Wed Aug 11 09:37:58 2010 +0100\n\tSubject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]\n\nThis can trivially be reproduced by any user with the following program\ncompiled with -lkeyutils:\n\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\t#include \u003cerr.h\u003e\n\tstatic char payload[] \u003d \"#dnserror\u003d6\";\n\tint main()\n\t{\n\t\tkey_serial_t key;\n\t\tkey \u003d add_key(\"dns_resolver\", \"a\", payload, sizeof(payload),\n\t\t\t KEY_SPEC_SESSION_KEYRING);\n\t\tif (key \u003d\u003d -1)\n\t\t\terr(1, \"add_key\");\n\t\tif (keyctl_read(key, NULL, 0) \u003d\u003d -1)\n\t\t\terr(1, \"read_key\");\n\t\treturn 0;\n\t}\n\nWhat should happen is that keyctl_read() reports error 6 (ENXIO) to the user:\n\n\tdns-break: read_key: No such device or address\n\nbut instead the kernel oopses.\n\nThis cannot be reproduced with the \u0027keyutils add\u0027 or \u0027keyutils padd\u0027 commands\nas both of those cut the data down below the NUL termination that must be\nincluded in the data. Without this dns_resolver_instantiate() will return\n-EINVAL and the key will not be instantiated such that it can be read.\n\nThe oops looks like:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nIP: [\u003cffffffff811b99f7\u003e] user_read+0x4f/0x8f\nPGD 3bdf8067 PUD 385b9067 PMD 0\nOops: 0000 [#1] SMP\nlast sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq\nCPU 0\nModules linked in:\n\nPid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY\nRIP: 0010:[\u003cffffffff811b99f7\u003e] [\u003cffffffff811b99f7\u003e] user_read+0x4f/0x8f\nRSP: 0018:ffff88003bf47f08 EFLAGS: 00010246\nRAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378\nRBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000\nR10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1\nFS: 00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)\nStack:\n ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000\n ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000\n 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000\nCall Trace:\n [\u003cffffffff811b708e\u003e] keyctl_read_key+0xac/0xcf\n [\u003cffffffff811b7c07\u003e] sys_keyctl+0x75/0xb6\n [\u003cffffffff81001f7b\u003e] system_call_fastpath+0x16/0x1b\nCode: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed \u003c41\u003e 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48\nRIP [\u003cffffffff811b99f7\u003e] user_read+0x4f/0x8f\n RSP \u003cffff88003bf47f08\u003e\nCR2: 0000000000000010\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\ncc: Wang Lei \u003cwang840925@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "22674a24b44ac53f244ef6edadd02021a270df5a", "tree": "b00e0cd872d020d99137ceb28226ba2a575d0e9b", "parents": [ "fa13bc3daa5954ce58f68fd34fb1611df6ea6e6f" ], "author": { "name": "Tracey Dent", "email": "tdent48227@gmail.com", "time": "Sun Nov 21 15:03:16 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Nov 22 08:16:10 2010 -0800" }, "message": "Net: dns_resolver: Makefile: Remove deprecated kbuild goal definitions\n\nChanged Makefile to use \u003cmodules\u003e-y instead of \u003cmodules\u003e-objs\nbecause -objs is deprecated and not mentioned in\nDocumentation/kbuild/makefiles.txt.\n\nSigned-off-by: Tracey Dent \u003ctdent48227@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4a2d789267e00b5a1175ecd2ddefcc78b83fbf09", "tree": "ee0372ca2719a998fca29e6fe3b9c0a3ceabbfc7", "parents": [ "c2e8139c9f797baa46515af6d350c51823736cbb" ], "author": { "name": "Wang Lei", "email": "wang840925@gmail.com", "time": "Wed Aug 11 09:37:58 2010 +0100" }, "committer": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Wed Aug 11 17:11:28 2010 +0000" }, "message": "DNS: If the DNS server returns an error, allow that to be cached [ver #2]\n\nIf the DNS server returns an error, allow that to be cached in the DNS resolver\nkey in lieu of a value. Userspace passes the desired error number as an option\nin the payload:\n\n\t\"#dnserror\u003d\u003cnumber\u003e\"\n\nUserspace must map h_errno from the name resolution routines to an appropriate\nLinux error before passing it up. Something like the following mapping is\nrecommended:\n\n\t[HOST_NOT_FOUND]\t\u003d ENODATA,\n\t[TRY_AGAIN]\t\t\u003d EAGAIN,\n\t[NO_RECOVERY]\t\t\u003d ECONNREFUSED,\n\t[NO_DATA]\t\t\u003d ENODATA,\n\nin lieu of Linux errors specifically for representing name service errors. The\nfilesystem must map these errors appropropriately before passing them to\nuserspace. AFS is made to map ENODATA and EAGAIN to EDESTADDRREQ for the\nreturn to userspace; ECONNREFUSED is allowed to stand as is.\n\nThe error can be seen in /proc/keys as a negative number after the description\nof the key. Compare, for example, the following key entries:\n\n2f97238c I--Q-- 1 53s 3f010000 0 0 dns_resol afsdb:grand.centrall.org: -61\n338bfbbe I--Q-- 1 59m 3f010000 0 0 dns_resol afsdb:grand.central.org: 37\n\nIf the error option is supplied in the payload, the main part of the payload is\ndiscarded. The key should have an expiry time set by userspace.\n\nSigned-off-by: Wang Lei \u003cwang840925@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Steve French \u003csfrench@us.ibm.com\u003e\n" }, { "commit": "5227bbb008fa6d2efddd86170bdfac2020cf571d", "tree": "2f85a495d2047ab2fc921c373fb76fdc9a739558", "parents": [ "ff9517a68792bb363c16f4e3155c4fc5a7f9d738" ], "author": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Fri Aug 06 03:18:09 2010 +0000" }, "committer": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Fri Aug 06 03:18:09 2010 +0000" }, "message": "[DNS RESOLVER] Minor typo correction\n\nCC: Dave Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Steve French \u003csfrench@us.ibm.com\u003e\n" }, { "commit": "ff9517a68792bb363c16f4e3155c4fc5a7f9d738", "tree": "55fa9883e85e85882422804fb858d5b2f8f59a28", "parents": [ "af352fe960263fbab3252be0ba6d4e0a27e62f5d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Aug 06 03:13:52 2010 +0100" }, "committer": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Fri Aug 06 02:26:27 2010 +0000" }, "message": "DNS: Fixes for the DNS query module\n\nFixes for the DNS query module, including:\n\n (1) Use \u0027negative\u0027 instead of \u0027-ve\u0027 in the documentation.\n\n (2) Mark the kdoc comment with \u0027/**\u0027 on dns_query().\n\nReported-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Steve French \u003csfrench@us.ibm.com\u003e\n" }, { "commit": "af352fe960263fbab3252be0ba6d4e0a27e62f5d", "tree": "dad76de38b3d8128f7e1745834b63d6dee13d777", "parents": [ "07567a5509327bcbf2c867286eb1524447c9b954" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Fri Aug 06 03:13:47 2010 +0100" }, "committer": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Fri Aug 06 02:26:23 2010 +0000" }, "message": "cifs: Include linux/err.h for IS_ERR and PTR_ERR\n\nFixes build errors:\n\nnet/dns_resolver/dns_key.c: In function \u0027init_dns_resolver\u0027:\nnet/dns_resolver/dns_key.c:170: error: implicit declaration of function \u0027IS_ERR\u0027\nnet/dns_resolver/dns_key.c:171: error: implicit declaration of function \u0027PTR_ERR\u0027\nnet/dns_resolver/dns_query.c: In function \u0027dns_query\u0027:\nnet/dns_resolver/dns_query.c:126: error: implicit declaration of function \u0027IS_ERR\u0027\nnet/dns_resolver/dns_query.c:127: error: implicit declaration of function \u0027PTR_ERR\u0027\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Steve French \u003csfrench@us.ibm.com\u003e\n" }, { "commit": "1a4240f4764ac78adbf4b0ebb49b3bd8c72ffa11", "tree": "7d9de5b071e7ab8a8355bdf7902db4c0a0e812b1", "parents": [ "ba5dadbf4e7b531bd7ccecffb4d3935c80a3372e" ], "author": { "name": "Wang Lei", "email": "wang840925@gmail.com", "time": "Wed Aug 04 15:16:33 2010 +0100" }, "committer": { "name": "Steve French", "email": "sfrench@us.ibm.com", "time": "Thu Aug 05 17:17:51 2010 +0000" }, "message": "DNS: Separate out CIFS DNS Resolver code\n\nSeparate out the DNS resolver key type from the CIFS filesystem into its own\nmodule so that it can be made available for general use, including the AFS\nfilesystem module.\n\nThis facility makes it possible for the kernel to upcall to userspace to have\nit issue DNS requests, package up the replies and present them to the kernel\nin a useful form. The kernel is then able to cache the DNS replies as keys\ncan be retained in keyrings.\n\nResolver keys are of type \"dns_resolver\" and have a case-insensitive\ndescription that is of the form \"[\u003ctype\u003e:]\u003cdomain_name\u003e\". The optional \u003ctype\u003e\nindicates the particular DNS lookup and packaging that\u0027s required. The\n\u003cdomain_name\u003e is the query to be made.\n\nIf \u003ctype\u003e isn\u0027t given, a basic hostname to IP address lookup is made, and the\nresult is stored in the key in the form of a printable string consisting of a\ncomma-separated list of IPv4 and IPv6 addresses.\n\nThis key type is supported by userspace helpers driven from /sbin/request-key\nand configured through /etc/request-key.conf. The cifs.upcall utility is\ninvoked for UNC path server name to IP address resolution.\n\nThe CIFS functionality is encapsulated by the dns_resolve_unc_to_ip() function,\nwhich is used to resolve a UNC path to an IP address for CIFS filesystem. This\npart remains in the CIFS module for now.\n\nSee the added Documentation/networking/dns_resolver.txt for more information.\n\nSigned-off-by: Wang Lei \u003cwang840925@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Steve French \u003csfrench@us.ibm.com\u003e\n" } ] }