Commit e9ff56ac authored by Eric Biggers's avatar Eric Biggers Committed by James Morris

KEYS: encrypted: avoid encrypting/decrypting stack buffers

Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
stack buffers because the stack may be virtually mapped.  Fix this for
the padding buffers in encrypted-keys by using ZERO_PAGE for the
encryption padding and by allocating a temporary heap buffer for the
decryption padding.

Tested with CONFIG_DEBUG_SG=y:
	keyctl new_session
	keyctl add user master "abcdefghijklmnop" @s
	keyid=$(keyctl add encrypted desc "new user:master 25" @s)
	datablob="$(keyctl pipe $keyid)"
	keyctl unlink $keyid
	keyid=$(keyctl add encrypted desc "load $datablob" @s)
	datablob2="$(keyctl pipe $keyid)"
	[ "$datablob" = "$datablob2" ] && echo "Success!"

Cc: Andy Lutomirski <luto@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # 4.9+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent d636bd9f
...@@ -479,12 +479,9 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, ...@@ -479,12 +479,9 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload,
struct skcipher_request *req; struct skcipher_request *req;
unsigned int encrypted_datalen; unsigned int encrypted_datalen;
u8 iv[AES_BLOCK_SIZE]; u8 iv[AES_BLOCK_SIZE];
unsigned int padlen;
char pad[16];
int ret; int ret;
encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
padlen = encrypted_datalen - epayload->decrypted_datalen;
req = init_skcipher_req(derived_key, derived_keylen); req = init_skcipher_req(derived_key, derived_keylen);
ret = PTR_ERR(req); ret = PTR_ERR(req);
...@@ -492,11 +489,10 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, ...@@ -492,11 +489,10 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload,
goto out; goto out;
dump_decrypted_data(epayload); dump_decrypted_data(epayload);
memset(pad, 0, sizeof pad);
sg_init_table(sg_in, 2); sg_init_table(sg_in, 2);
sg_set_buf(&sg_in[0], epayload->decrypted_data, sg_set_buf(&sg_in[0], epayload->decrypted_data,
epayload->decrypted_datalen); epayload->decrypted_datalen);
sg_set_buf(&sg_in[1], pad, padlen); sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0);
sg_init_table(sg_out, 1); sg_init_table(sg_out, 1);
sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen); sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
...@@ -583,9 +579,14 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, ...@@ -583,9 +579,14 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload,
struct skcipher_request *req; struct skcipher_request *req;
unsigned int encrypted_datalen; unsigned int encrypted_datalen;
u8 iv[AES_BLOCK_SIZE]; u8 iv[AES_BLOCK_SIZE];
char pad[16]; u8 *pad;
int ret; int ret;
/* Throwaway buffer to hold the unused zero padding at the end */
pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
if (!pad)
return -ENOMEM;
encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
req = init_skcipher_req(derived_key, derived_keylen); req = init_skcipher_req(derived_key, derived_keylen);
ret = PTR_ERR(req); ret = PTR_ERR(req);
...@@ -593,13 +594,12 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, ...@@ -593,13 +594,12 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload,
goto out; goto out;
dump_encrypted_data(epayload, encrypted_datalen); dump_encrypted_data(epayload, encrypted_datalen);
memset(pad, 0, sizeof pad);
sg_init_table(sg_in, 1); sg_init_table(sg_in, 1);
sg_init_table(sg_out, 2); sg_init_table(sg_out, 2);
sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen); sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
sg_set_buf(&sg_out[0], epayload->decrypted_data, sg_set_buf(&sg_out[0], epayload->decrypted_data,
epayload->decrypted_datalen); epayload->decrypted_datalen);
sg_set_buf(&sg_out[1], pad, sizeof pad); sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE);
memcpy(iv, epayload->iv, sizeof(iv)); memcpy(iv, epayload->iv, sizeof(iv));
skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
...@@ -611,6 +611,7 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, ...@@ -611,6 +611,7 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload,
goto out; goto out;
dump_decrypted_data(epayload); dump_decrypted_data(epayload);
out: out:
kfree(pad);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment