On Mon, 2010-03-15 at 08:20 -0400, steved@xxxxxxxxxx wrote: > From: Kevin Coffman <kwc@xxxxxxxxxxxxxx> > > Make the client and server code consistent regarding the extra buffer > space made available for the auth code when wrapping data. > > Add some comments/documentation about the available buffer space > in the xdr_buf head and tail when gss_wrap is called. > > Add a compile-time check to make sure we are not exceeding the available > buffer space. > > Add a central function to shift head data. > > Signed-off-by: Kevin Coffman <kwc@xxxxxxxxxxxxxx> > Signed-off-by: Steve Dickson <steved@xxxxxxxxxx> > --- > include/linux/sunrpc/gss_krb5.h | 25 ++++++++++++++ > net/sunrpc/auth_gss/auth_gss.c | 14 ++++++-- > net/sunrpc/auth_gss/gss_krb5_crypto.c | 56 +++++++++++++++++++++++++++++++++ > net/sunrpc/auth_gss/gss_krb5_wrap.c | 7 ++-- > net/sunrpc/auth_gss/gss_mech_switch.c | 14 ++++++++ > net/sunrpc/auth_gss/svcauth_gss.c | 15 +++++++++ > 6 files changed, 123 insertions(+), 8 deletions(-) > > diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h > index e7bbdba..5bb227e 100644 > --- a/include/linux/sunrpc/gss_krb5.h > +++ b/include/linux/sunrpc/gss_krb5.h > @@ -40,6 +40,12 @@ > #include <linux/sunrpc/gss_err.h> > #include <linux/sunrpc/gss_asn1.h> > > +/* Maximum checksum function output for the supported crypto algorithms */ > +#define GSS_KRB5_MAX_CKSUM_LEN (20) > + > +/* Maximum blocksize for the supported crypto algorithms */ > +#define GSS_KRB5_MAX_BLOCKSIZE (16) > + > struct krb5_ctx { > int initiate; /* 1 = initiating, 0 = accepting */ > struct crypto_blkcipher *enc; > @@ -113,6 +119,22 @@ enum seal_alg { > #define ENCTYPE_DES3_CBC_SHA1 0x0010 > #define ENCTYPE_UNKNOWN 0x01ff > > +/* > + * This compile-time check verifies that we will not exceed the > + * slack space allotted by the client and server auth_gss code > + * before they call gss_wrap(). > + */ > +#define GSS_KRB5_SLACK_CHECK \ > + BUILD_BUG_ON(GSS_KRB5_TOK_HDR_LEN /* gss token header */ \ > + + GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \ > + + GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \ > + + GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \ > + + GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */\ > + + GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \ > + + 4 + 4 /* RPC verifier */ \ > + + GSS_KRB5_TOK_HDR_LEN \ > + + GSS_KRB5_MAX_CKSUM_LEN > RPC_MAX_AUTH_SIZE) > + > s32 > make_checksum(char *, char *header, int hdrlen, struct xdr_buf *body, > int body_offset, struct xdr_netobj *cksum); > @@ -157,3 +179,6 @@ s32 > krb5_get_seq_num(struct crypto_blkcipher *key, > unsigned char *cksum, > unsigned char *buf, int *direction, u32 *seqnum); > + > +int > +shift_head_data(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen); > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c > index 0cfccc2..a268368 100644 > --- a/net/sunrpc/auth_gss/auth_gss.c > +++ b/net/sunrpc/auth_gss/auth_gss.c > @@ -61,7 +61,7 @@ static const struct rpc_credops gss_nullops; > # define RPCDBG_FACILITY RPCDBG_AUTH > #endif > > -#define GSS_CRED_SLACK 1024 > +#define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2) > /* length of a krb5 verifier (48), plus data added before arguments when > * using integrity (two 4-byte integers): */ > #define GSS_VERF_SLACK 100 > @@ -1317,15 +1317,21 @@ gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx, > inpages = snd_buf->pages + first; > snd_buf->pages = rqstp->rq_enc_pages; > snd_buf->page_base -= first << PAGE_CACHE_SHIFT; > - /* Give the tail its own page, in case we need extra space in the > - * head when wrapping: */ > + /* > + * Give the tail its own page, in case we need extra space in the > + * head when wrapping: > + * > + * call_allocate() allocates twice the slack space required > + * by the authentication flavor to rq_callsize. > + * For GSS, slack is GSS_CRED_SLACK. > + */ I'm all for improving the comments in the code, but could we please make that a separate patch. > if (snd_buf->page_len || snd_buf->tail[0].iov_len) { > tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]); > memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len); > snd_buf->tail[0].iov_base = tmp; > } > maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages); > - /* RPC_SLACK_SPACE should prevent this ever happening: */ > + /* slack space should prevent this ever happening: */ > BUG_ON(snd_buf->len > snd_buf->buflen); > status = -EIO; > /* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was > diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c > index c93fca2..d0f3371 100644 > --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c > +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c > @@ -326,3 +326,59 @@ gss_decrypt_xdr_buf(struct crypto_blkcipher *tfm, struct xdr_buf *buf, > > return xdr_process_buf(buf, offset, buf->len - offset, decryptor, &desc); > } > + > +/* > + * This function makes the assumption that it was ultimately called > + * from gss_wrap(). > + * > + * The client auth_gss code moves any existing tail data into a > + * separate page before calling gss_wrap. > + * The server svcauth_gss code ensures that both the head and the > + * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap. > + * > + * Even with that guarantee, this function may be called more than > + * once in the processing of gss_wrap(). The best we can do is > + * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the > + * largest expected shift will fit within RPC_MAX_AUTH_SIZE. > + * At run-time we can verify that a single invocation of this > + * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE. > + */ > + > +int > +shift_head_data(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen) ^^^^^^^^^^^^^^^ This needs a better name in order to avoid polluting the global namespace. xdr_extend_head(), perhaps? > +{ > + u8 *p; > + > + if (shiftlen == 0) > + return 0; > + > + GSS_KRB5_SLACK_CHECK; ^^^^^^^^^^^^^^^^^^^^^ Why is this a macro? > + BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE); > + > + /* > + * If there is a tail, and it shares a page with the head, > + * make sure we don't clobber the tail. This is a just a > + * defensive check. > + */ > + if (buf->tail[0].iov_base != NULL) { > + if ((((long)buf->tail[0].iov_base >> PAGE_CACHE_SHIFT) == > + ((long)buf->head[0].iov_base >> PAGE_CACHE_SHIFT)) && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is just too ugly to live, and is wrong to boot. If buf->tail[0].iov_len == 0, then buf->tail[0].iov_base isn't even defined... > + buf->tail[0].iov_base - buf->head[0].iov_base < shiftlen) { > + dprintk("%s: collision: head %p:%zu, tail %p:%zu, " > + "shiftlen %u\n", > + __func__, buf->head[0].iov_base, > + buf->head[0].iov_len, buf->tail[0].iov_base, > + buf->tail[0].iov_len, shiftlen); > + return 1; > + } > + } > + > + p = buf->head[0].iov_base + base; > + > + memmove(p + shiftlen, p, buf->head[0].iov_len - base); > + > + buf->head[0].iov_len += shiftlen; > + buf->len += shiftlen; > + > + return 0; > +} > diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c > index ae8e69b..a0660f5 100644 > --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c > +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c > @@ -144,6 +144,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, > > dprintk("RPC: gss_wrap_kerberos\n"); > > + GSS_KRB5_SLACK_CHECK; ....and why do we have a second one here? Since this is a BUILD_BUG, then surely we can check this just once. > now = get_seconds(); > > blocksize = crypto_blkcipher_blocksize(kctx->enc); > @@ -156,11 +157,9 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, > > ptr = buf->head[0].iov_base + offset; > /* shift data to make room for header. */ > + shift_head_data(buf, offset, headlen); > + > /* XXX Would be cleverer to encrypt while copying. */ > - /* XXX bounds checking, slack, etc. */ > - memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset); > - buf->head[0].iov_len += headlen; > - buf->len += headlen; > BUG_ON((buf->len - offset - headlen) % blocksize); > > g_make_token_header(&kctx->mech_used, -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html