From: Jeff Layton <jlayton@redhat.com> Date: Thu, 8 Jul 2010 14:00:27 -0400 Subject: [fs] cifs: reject DNS upcall add_key req from userspace Message-id: <1278597627-23193-3-git-send-email-jlayton@redhat.com> Patchwork-id: 26764 O-Subject: [RHEL5.6 PATCH 2/2] BZ#612171: cifs: have DNS upcall reject add_key requests from userspace Bugzilla: 612171 CVE: CVE-2010-2524 RH-Acked-by: Steve Dickson <SteveD@redhat.com> RH-Acked-by: David Howells <dhowells@redhat.com> The dns_resolver keyring is susceptible to cache stuffing -- a user could preload the keyring and then trick the kernel into following a DFS referral to a server of his choosing. Use KEY_FLAG_ADDED to reject add_key requests for the dns_resolver key type. Signed-off-by: Jeff Layton <jlayton@redhat.com> diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c index df4a306..02e075f 100644 --- a/fs/cifs/dns_resolve.c +++ b/fs/cifs/dns_resolve.c @@ -64,6 +64,9 @@ dns_resolver_instantiate(struct key *key, const void *data, int rc = 0; char *ip; + if (test_bit(KEY_FLAG_ADDED, &key->flags)) + return -EACCES; + ip = kmalloc(datalen + 1, GFP_KERNEL); if (!ip) return -ENOMEM;