• Eric Biggers's avatar
    KEYS: encrypted: avoid encrypting/decrypting stack buffers · e6235572
    Eric Biggers authored
    Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
    stack buffers because the stack may be virtually mapped.  Fix this for
    the padding buffers in encrypted-keys by using ZERO_PAGE for the
    encryption padding and by allocating a temporary heap buffer for the
    decryption padding.
    
    Tested with CONFIG_DEBUG_SG=y:
    	keyctl new_session
    	keyctl add user master "abcdefghijklmnop" @s
    	keyid=$(keyctl add encrypted desc "new user:master 25" @s)
    	datablob="$(keyctl pipe $keyid)"
    	keyctl unlink $keyid
    	keyid=$(keyctl add encrypted desc "load $datablob" @s)
    	datablob2="$(keyctl pipe $keyid)"
    	[ "$datablob" = "$datablob2" ] && echo "Success!"
    
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Cc: stable@vger.kernel.org # 4.9+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    e6235572
encrypted.c 26.7 KB