CVE-2023-54170

In the Linux kernel, the following vulnerability has been resolved:

keys: Fix linking a duplicate key to a keyring's assoc_array

When making a DNS query inside the kernel using dnsquery(), the request code can in rare cases end up creating a duplicate index key in the assocarray of the destination keyring. It is eventually found by a BUGON() check in the assocarray implementation and results in a crash.

Example report: [2158499.700025] kernel BUG at ../lib/assocarray.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifsresolveserver [cifs] [2158499.700380] RIP: 0010:assocarrayinsert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? keyalloc+0x447/0x4b0 [2158499.700768] ? __keylinkbegin+0x43/0xa0 [2158499.700790] __keylinkbegin+0x43/0xa0 [2158499.700814] requestkeyandlink+0x2c7/0x730 [2158499.700847] ? dnsresolverread+0x20/0x20 [dnsresolver] [2158499.700873] ? keydefaultcmp+0x20/0x20 [2158499.700898] requestkeytag+0x43/0xa0 [2158499.700926] dnsquery+0x114/0x2ca [dnsresolver] [2158499.701127] dnsresolveservernameto_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switchtoasm+0x40/0x70 [2158499.701211] ? __switchtoasm+0x34/0x70 [2158499.701405] reconnsetipaddrfromhostname+0x81/0x2a0 [cifs] [2158499.701603] cifsresolveserver+0x4b/0xd0 [cifs] [2158499.701632] processonework+0x1f8/0x3e0 [2158499.701658] workerthread+0x2d/0x3f0 [2158499.701682] ? processonework+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthreadpark+0xb0/0xb0 [2158499.701746] retfromfork+0x1f/0x40

The situation occurs as follows: * Some kernel facility invokes dnsquery() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.threadkeyring and passes the query to requestkeynet() -> requestkeytag() -> requestkeyandlink(). * Function requestkeyandlink() creates a keyringsearchcontext object. Its matchdata.cmp method gets set via a call to type->matchpreparse() (resolves to dnsresolvermatchpreparse()) to dnsresolvercmp(). * Function requestkeyandlink() continues and invokes searchprocesskeyringsrcu() which returns that a given key was not found. The control is then passed to requestkeyandlink() -> constructallockey(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function constructallockey() first runs __keylinkbegin() to determine an assocarrayedit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyringcompareobject(). The operation ---truncated---