[syzbot] [net?] KASAN: slab-out-of-bounds Read in dns_resolver_preparse
syzbot
syzbot+94bbb75204a05da3d89f at syzkaller.appspotmail.com
Sat Dec 23 23:17:22 UTC 2023
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
want either no args or 2 args (repo, branch), got 5
>
> diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
> index 2a6d363763a2..f18ca02aa95a 100644
> --- a/net/dns_resolver/dns_key.c
> +++ b/net/dns_resolver/dns_key.c
> @@ -91,8 +91,6 @@ const struct cred *dns_resolver_cache;
> static int
> dns_resolver_preparse(struct key_preparsed_payload *prep)
> {
> - const struct dns_server_list_v1_header *v1;
> - const struct dns_payload_header *bin;
> struct user_key_payload *upayload;
> unsigned long derrno;
> int ret;
> @@ -103,27 +101,28 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
> return -EINVAL;
>
> if (data[0] == 0) {
> + const struct dns_server_list_v1_header *v1;
> +
> /* It may be a server list. */
> - if (datalen <= sizeof(*bin))
> + if (datalen <= sizeof(*v1))
> return -EINVAL;
>
> - bin = (const struct dns_payload_header *)data;
> - kenter("[%u,%u],%u", bin->content, bin->version, datalen);
> - if (bin->content != DNS_PAYLOAD_IS_SERVER_LIST) {
> + v1 = (const struct dns_server_list_v1_header *)data;
> + kenter("[%u,%u],%u", v1->hdr.content, v1->hdr.version, datalen);
> + if (v1->hdr.content != DNS_PAYLOAD_IS_SERVER_LIST) {
> pr_warn_ratelimited(
> "dns_resolver: Unsupported content type (%u)\n",
> - bin->content);
> + v1->hdr.content);
> return -EINVAL;
> }
>
> - if (bin->version != 1) {
> + if (v1->hdr.version != 1) {
> pr_warn_ratelimited(
> "dns_resolver: Unsupported server list version (%u)\n",
> - bin->version);
> + v1->hdr.version);
> return -EINVAL;
> }
>
> - v1 = (const struct dns_server_list_v1_header *)bin;
> if ((v1->status != DNS_LOOKUP_GOOD &&
> v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
> if (prep->expiry == TIME64_MAX)
>
More information about the Linux-security-module-archive
mailing list