From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=DFRM=Q2=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 21B7BC43381
	for <stable@archiver.kernel.org>; Tue, 19 Feb 2019 21:38:05 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id ECFA52086D
	for <stable@archiver.kernel.org>; Tue, 19 Feb 2019 21:38:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726451AbfBSViE (ORCPT <rfc822;stable@archiver.kernel.org>);
        Tue, 19 Feb 2019 16:38:04 -0500
Received: from mx1.redhat.com ([209.132.183.28]:47634 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728169AbfBSViE (ORCPT <rfc822;stable@vger.kernel.org>);
        Tue, 19 Feb 2019 16:38:04 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id B6A76B212
        for <stable@vger.kernel.org>; Tue, 19 Feb 2019 21:38:03 +0000 (UTC)
Received: from parsley.fieldses.org (ovpn-123-19.rdu2.redhat.com [10.10.123.19])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 4FFBF5DD63;
        Tue, 19 Feb 2019 21:38:03 +0000 (UTC)
Received: by parsley.fieldses.org (Postfix, from userid 2815)
        id 42F5E18036E; Tue, 19 Feb 2019 16:38:02 -0500 (EST)
Date:   Tue, 19 Feb 2019 16:38:02 -0500
From:   "J. Bruce Fields" <bfields@redhat.com>
To:     Scott Mayhew <smayhew@redhat.com>
Cc:     stable@vger.kernel.org
Subject: Re: [PATCH 4.19] sunrpc: fix 4 more call sites that were using stack
 memory with a scatterlist
Message-ID: <20190219213801.GC26296@parsley.fieldses.org>
References: <20190219193627.15619-1-smayhew@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190219193627.15619-1-smayhew@redhat.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 19 Feb 2019 21:38:03 +0000 (UTC)
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

ACK.--b.

On Tue, Feb 19, 2019 at 02:36:27PM -0500, Scott Mayhew wrote:
> (cherry picked from commit e7afe6c1d486b516ed586dcc10b3e7e3e85a9c2b)
> 
> While trying to reproduce a reported kernel panic on arm64, I discovered
> that AUTH_GSS basically doesn't work at all with older enctypes on arm64
> systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
> places using stack memory with scatterlists, causing krb5_encrypt() and
> krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
> is enabled).
> 
> Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
> des3-cbc-sha1 and arcfour-hmac-md5.
> 
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> 
> Conflicts:
> 	net/sunrpc/auth_gss/gss_krb5_seqnum.c
> ---
>  net/sunrpc/auth_gss/gss_krb5_seqnum.c | 49 +++++++++++++++++++++++++++--------
>  1 file changed, 38 insertions(+), 11 deletions(-)
> 
> diff --git a/net/sunrpc/auth_gss/gss_krb5_seqnum.c b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> index c8b9082..2d2ed67 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> @@ -44,7 +44,7 @@
>  		      unsigned char *cksum, unsigned char *buf)
>  {
>  	struct crypto_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -53,6 +53,10 @@
>  	if (IS_ERR(cipher))
>  		return PTR_ERR(cipher);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
> @@ -69,6 +73,7 @@
>  	code = krb5_encrypt(cipher, cksum, plain, buf, 8);
>  out:
>  	crypto_free_skcipher(cipher);
> +	kfree(plain);
>  	return code;
>  }
>  s32
> @@ -78,12 +83,17 @@
>  		u32 seqnum,
>  		unsigned char *cksum, unsigned char *buf)
>  {
> -	unsigned char plain[8];
> +	unsigned char *plain;
> +	s32 code;
>  
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_make_rc4_seq_num(kctx, direction, seqnum,
>  					     cksum, buf);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) (seqnum & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
> @@ -94,7 +104,9 @@
>  	plain[6] = direction;
>  	plain[7] = direction;
>  
> -	return krb5_encrypt(key, cksum, plain, buf, 8);
> +	code = krb5_encrypt(key, cksum, plain, buf, 8);
> +	kfree(plain);
> +	return code;
>  }
>  
>  static s32
> @@ -102,7 +114,7 @@
>  		     unsigned char *buf, int *direction, s32 *seqnum)
>  {
>  	struct crypto_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -115,20 +127,28 @@
>  	if (code)
>  		goto out;
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain) {
> +		code = -ENOMEM;
> +		goto out;
> +	}
> +
>  	code = krb5_decrypt(cipher, cksum, buf, plain, 8);
>  	if (code)
> -		goto out;
> +		goto out_plain;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6])
>  				   || (plain[4] != plain[7])) {
>  		code = (s32)KG_BAD_SEQ;
> -		goto out;
> +		goto out_plain;
>  	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0] << 24) | (plain[1] << 16) |
>  					(plain[2] << 8) | (plain[3]));
> +out_plain:
> +	kfree(plain);
>  out:
>  	crypto_free_skcipher(cipher);
>  	return code;
> @@ -141,26 +161,33 @@
>  	       int *direction, u32 *seqnum)
>  {
>  	s32 code;
> -	unsigned char plain[8];
>  	struct crypto_skcipher *key = kctx->seq;
> +	unsigned char *plain;
>  
>  	dprintk("RPC:       krb5_get_seq_num:\n");
>  
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_get_rc4_seq_num(kctx, cksum, buf,
>  					    direction, seqnum);
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
>  
>  	if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
> -		return code;
> +		goto out;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
> -	    (plain[4] != plain[7]))
> -		return (s32)KG_BAD_SEQ;
> +	    (plain[4] != plain[7])) {
> +		code = (s32)KG_BAD_SEQ;
> +		goto out;
> +	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0]) |
>  		   (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
>  
> -	return 0;
> +out:
> +	kfree(plain);
> +	return code;
>  }
> -- 
> 1.8.3.1
>