sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b upstream. While trying to reproduce a reported kernel panic on arm64, I discovered that AUTH_GSS basically doesn't work at all with older enctypes on arm64 systems with CONFIG_VMAP_STACK enabled. It turns out there still a few places using stack memory with scatterlists, causing krb5_encrypt() and krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG is enabled). Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using des3-cbc-sha1 and arcfour-hmac-md5. Signed-off-by: Scott Mayhew <smayhew@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
bc5d97268c
commit
a7e0b9680a
1 changed files with 38 additions and 11 deletions
|
@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
|
|||
unsigned char *cksum, unsigned char *buf)
|
||||
{
|
||||
struct crypto_skcipher *cipher;
|
||||
unsigned char plain[8];
|
||||
unsigned char *plain;
|
||||
s32 code;
|
||||
|
||||
dprintk("RPC: %s:\n", __func__);
|
||||
|
@ -53,6 +53,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
|
|||
if (IS_ERR(cipher))
|
||||
return PTR_ERR(cipher);
|
||||
|
||||
plain = kmalloc(8, GFP_NOFS);
|
||||
if (!plain)
|
||||
return -ENOMEM;
|
||||
|
||||
plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
|
||||
plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
|
||||
plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
|
||||
|
@ -69,6 +73,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
|
|||
code = krb5_encrypt(cipher, cksum, plain, buf, 8);
|
||||
out:
|
||||
crypto_free_skcipher(cipher);
|
||||
kfree(plain);
|
||||
return code;
|
||||
}
|
||||
s32
|
||||
|
@ -78,12 +83,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
|
|||
u32 seqnum,
|
||||
unsigned char *cksum, unsigned char *buf)
|
||||
{
|
||||
unsigned char plain[8];
|
||||
unsigned char *plain;
|
||||
s32 code;
|
||||
|
||||
if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
|
||||
return krb5_make_rc4_seq_num(kctx, direction, seqnum,
|
||||
cksum, buf);
|
||||
|
||||
plain = kmalloc(8, GFP_NOFS);
|
||||
if (!plain)
|
||||
return -ENOMEM;
|
||||
|
||||
plain[0] = (unsigned char) (seqnum & 0xff);
|
||||
plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
|
||||
plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
|
||||
|
@ -94,7 +104,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
|
|||
plain[6] = direction;
|
||||
plain[7] = direction;
|
||||
|
||||
return krb5_encrypt(key, cksum, plain, buf, 8);
|
||||
code = krb5_encrypt(key, cksum, plain, buf, 8);
|
||||
kfree(plain);
|
||||
return code;
|
||||
}
|
||||
|
||||
static s32
|
||||
|
@ -102,7 +114,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
|
|||
unsigned char *buf, int *direction, s32 *seqnum)
|
||||
{
|
||||
struct crypto_skcipher *cipher;
|
||||
unsigned char plain[8];
|
||||
unsigned char *plain;
|
||||
s32 code;
|
||||
|
||||
dprintk("RPC: %s:\n", __func__);
|
||||
|
@ -115,20 +127,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
|
|||
if (code)
|
||||
goto out;
|
||||
|
||||
plain = kmalloc(8, GFP_NOFS);
|
||||
if (!plain) {
|
||||
code = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
code = krb5_decrypt(cipher, cksum, buf, plain, 8);
|
||||
if (code)
|
||||
goto out;
|
||||
goto out_plain;
|
||||
|
||||
if ((plain[4] != plain[5]) || (plain[4] != plain[6])
|
||||
|| (plain[4] != plain[7])) {
|
||||
code = (s32)KG_BAD_SEQ;
|
||||
goto out;
|
||||
goto out_plain;
|
||||
}
|
||||
|
||||
*direction = plain[4];
|
||||
|
||||
*seqnum = ((plain[0] << 24) | (plain[1] << 16) |
|
||||
(plain[2] << 8) | (plain[3]));
|
||||
out_plain:
|
||||
kfree(plain);
|
||||
out:
|
||||
crypto_free_skcipher(cipher);
|
||||
return code;
|
||||
|
@ -141,26 +161,33 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
|
|||
int *direction, u32 *seqnum)
|
||||
{
|
||||
s32 code;
|
||||
unsigned char plain[8];
|
||||
struct crypto_skcipher *key = kctx->seq;
|
||||
unsigned char *plain;
|
||||
|
||||
dprintk("RPC: krb5_get_seq_num:\n");
|
||||
|
||||
if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
|
||||
return krb5_get_rc4_seq_num(kctx, cksum, buf,
|
||||
direction, seqnum);
|
||||
plain = kmalloc(8, GFP_NOFS);
|
||||
if (!plain)
|
||||
return -ENOMEM;
|
||||
|
||||
if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
|
||||
return code;
|
||||
goto out;
|
||||
|
||||
if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
|
||||
(plain[4] != plain[7]))
|
||||
return (s32)KG_BAD_SEQ;
|
||||
(plain[4] != plain[7])) {
|
||||
code = (s32)KG_BAD_SEQ;
|
||||
goto out;
|
||||
}
|
||||
|
||||
*direction = plain[4];
|
||||
|
||||
*seqnum = ((plain[0]) |
|
||||
(plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
|
||||
|
||||
return 0;
|
||||
out:
|
||||
kfree(plain);
|
||||
return code;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue