Re: [PATCH 4.19] sunrpc: fix 4 more call sites that were using stack memory with a scatterlist

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ACK.--b.

On Tue, Feb 19, 2019 at 02:36:27PM -0500, Scott Mayhew wrote:
> (cherry picked from commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b)
> 
> While trying to reproduce a reported kernel panic on arm64, I discovered
> that AUTH_GSS basically doesn't work at all with older enctypes on arm64
> systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
> places using stack memory with scatterlists, causing krb5_encrypt() and
> krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
> is enabled).
> 
> Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
> des3-cbc-sha1 and arcfour-hmac-md5.
> 
> Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx>
> 
> Conflicts:
> 	net/sunrpc/auth_gss/gss_krb5_seqnum.c
> ---
>  net/sunrpc/auth_gss/gss_krb5_seqnum.c | 49 +++++++++++++++++++++++++++--------
>  1 file changed, 38 insertions(+), 11 deletions(-)
> 
> diff --git a/net/sunrpc/auth_gss/gss_krb5_seqnum.c b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> index c8b9082..2d2ed67 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> @@ -44,7 +44,7 @@
>  		      unsigned char *cksum, unsigned char *buf)
>  {
>  	struct crypto_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -53,6 +53,10 @@
>  	if (IS_ERR(cipher))
>  		return PTR_ERR(cipher);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
> @@ -69,6 +73,7 @@
>  	code = krb5_encrypt(cipher, cksum, plain, buf, 8);
>  out:
>  	crypto_free_skcipher(cipher);
> +	kfree(plain);
>  	return code;
>  }
>  s32
> @@ -78,12 +83,17 @@
>  		u32 seqnum,
>  		unsigned char *cksum, unsigned char *buf)
>  {
> -	unsigned char plain[8];
> +	unsigned char *plain;
> +	s32 code;
>  
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_make_rc4_seq_num(kctx, direction, seqnum,
>  					     cksum, buf);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) (seqnum & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
> @@ -94,7 +104,9 @@
>  	plain[6] = direction;
>  	plain[7] = direction;
>  
> -	return krb5_encrypt(key, cksum, plain, buf, 8);
> +	code = krb5_encrypt(key, cksum, plain, buf, 8);
> +	kfree(plain);
> +	return code;
>  }
>  
>  static s32
> @@ -102,7 +114,7 @@
>  		     unsigned char *buf, int *direction, s32 *seqnum)
>  {
>  	struct crypto_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -115,20 +127,28 @@
>  	if (code)
>  		goto out;
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain) {
> +		code = -ENOMEM;
> +		goto out;
> +	}
> +
>  	code = krb5_decrypt(cipher, cksum, buf, plain, 8);
>  	if (code)
> -		goto out;
> +		goto out_plain;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6])
>  				   || (plain[4] != plain[7])) {
>  		code = (s32)KG_BAD_SEQ;
> -		goto out;
> +		goto out_plain;
>  	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0] << 24) | (plain[1] << 16) |
>  					(plain[2] << 8) | (plain[3]));
> +out_plain:
> +	kfree(plain);
>  out:
>  	crypto_free_skcipher(cipher);
>  	return code;
> @@ -141,26 +161,33 @@
>  	       int *direction, u32 *seqnum)
>  {
>  	s32 code;
> -	unsigned char plain[8];
>  	struct crypto_skcipher *key = kctx->seq;
> +	unsigned char *plain;
>  
>  	dprintk("RPC:       krb5_get_seq_num:\n");
>  
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_get_rc4_seq_num(kctx, cksum, buf,
>  					    direction, seqnum);
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
>  
>  	if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
> -		return code;
> +		goto out;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
> -	    (plain[4] != plain[7]))
> -		return (s32)KG_BAD_SEQ;
> +	    (plain[4] != plain[7])) {
> +		code = (s32)KG_BAD_SEQ;
> +		goto out;
> +	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0]) |
>  		   (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
>  
> -	return 0;
> +out:
> +	kfree(plain);
> +	return code;
>  }
> -- 
> 1.8.3.1
> 



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux