From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Mjai=QW=vger.kernel.org=linux-nfs-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 14574C43381
	for <linux-nfs@archiver.kernel.org>; Fri, 15 Feb 2019 19:58:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id E080A21B18
	for <linux-nfs@archiver.kernel.org>; Fri, 15 Feb 2019 19:58:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726689AbfBOT6T (ORCPT <rfc822;linux-nfs@archiver.kernel.org>);
        Fri, 15 Feb 2019 14:58:19 -0500
Received: from fieldses.org ([173.255.197.46]:39632 "EHLO fieldses.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726317AbfBOT6T (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
        Fri, 15 Feb 2019 14:58:19 -0500
Received: by fieldses.org (Postfix, from userid 2815)
        id 1A5F61CE7; Fri, 15 Feb 2019 14:58:18 -0500 (EST)
Date:   Fri, 15 Feb 2019 14:58:18 -0500
From:   "J. Bruce Fields" <bfields@fieldses.org>
To:     Scott Mayhew <smayhew@redhat.com>
Cc:     trond.myklebust@hammerspace.com, anna.schumaker@netapp.com,
        jlayton@kernel.org, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] sunrpc: fix 4 more call sites that were using stack
 memory with a scatterlist
Message-ID: <20190215195818.GB22354@fieldses.org>
References: <20190215184202.5537-1-smayhew@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190215184202.5537-1-smayhew@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

Thanks!  Applying for 5.0 and stable.

--b.

On Fri, Feb 15, 2019 at 01:42:02PM -0500, Scott Mayhew wrote:
> While trying to reproduce a reported kernel panic on arm64, I discovered
> that AUTH_GSS basically doesn't work at all with older enctypes on arm64
> systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
> places using stack memory with scatterlists, causing krb5_encrypt() and
> krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
> is enabled).
> 
> Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
> des3-cbc-sha1 and arcfour-hmac-md5.
> 
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
> ---
>  net/sunrpc/auth_gss/gss_krb5_seqnum.c | 49 +++++++++++++++++++++------
>  1 file changed, 38 insertions(+), 11 deletions(-)
> 
> diff --git a/net/sunrpc/auth_gss/gss_krb5_seqnum.c b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> index fb6656295204..507105127095 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
> @@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
>  		      unsigned char *cksum, unsigned char *buf)
>  {
>  	struct crypto_sync_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -52,6 +52,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
>  	if (IS_ERR(cipher))
>  		return PTR_ERR(cipher);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
> @@ -67,6 +71,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
>  
>  	code = krb5_encrypt(cipher, cksum, plain, buf, 8);
>  out:
> +	kfree(plain);
>  	crypto_free_sync_skcipher(cipher);
>  	return code;
>  }
> @@ -77,12 +82,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
>  		u32 seqnum,
>  		unsigned char *cksum, unsigned char *buf)
>  {
> -	unsigned char plain[8];
> +	unsigned char *plain;
> +	s32 code;
>  
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_make_rc4_seq_num(kctx, direction, seqnum,
>  					     cksum, buf);
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
> +
>  	plain[0] = (unsigned char) (seqnum & 0xff);
>  	plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
>  	plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
> @@ -93,7 +103,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
>  	plain[6] = direction;
>  	plain[7] = direction;
>  
> -	return krb5_encrypt(key, cksum, plain, buf, 8);
> +	code = krb5_encrypt(key, cksum, plain, buf, 8);
> +	kfree(plain);
> +	return code;
>  }
>  
>  static s32
> @@ -101,7 +113,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
>  		     unsigned char *buf, int *direction, s32 *seqnum)
>  {
>  	struct crypto_sync_skcipher *cipher;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	s32 code;
>  
>  	dprintk("RPC:       %s:\n", __func__);
> @@ -113,20 +125,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
>  	if (code)
>  		goto out;
>  
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain) {
> +		code = -ENOMEM;
> +		goto out;
> +	}
> +
>  	code = krb5_decrypt(cipher, cksum, buf, plain, 8);
>  	if (code)
> -		goto out;
> +		goto out_plain;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6])
>  				   || (plain[4] != plain[7])) {
>  		code = (s32)KG_BAD_SEQ;
> -		goto out;
> +		goto out_plain;
>  	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0] << 24) | (plain[1] << 16) |
>  					(plain[2] << 8) | (plain[3]));
> +out_plain:
> +	kfree(plain);
>  out:
>  	crypto_free_sync_skcipher(cipher);
>  	return code;
> @@ -139,7 +159,7 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
>  	       int *direction, u32 *seqnum)
>  {
>  	s32 code;
> -	unsigned char plain[8];
> +	unsigned char *plain;
>  	struct crypto_sync_skcipher *key = kctx->seq;
>  
>  	dprintk("RPC:       krb5_get_seq_num:\n");
> @@ -147,18 +167,25 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
>  	if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
>  		return krb5_get_rc4_seq_num(kctx, cksum, buf,
>  					    direction, seqnum);
> +	plain = kmalloc(8, GFP_NOFS);
> +	if (!plain)
> +		return -ENOMEM;
>  
>  	if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
> -		return code;
> +		goto out;
>  
>  	if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
> -	    (plain[4] != plain[7]))
> -		return (s32)KG_BAD_SEQ;
> +	    (plain[4] != plain[7])) {
> +		code = (s32)KG_BAD_SEQ;
> +		goto out;
> +	}
>  
>  	*direction = plain[4];
>  
>  	*seqnum = ((plain[0]) |
>  		   (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
>  
> -	return 0;
> +out:
> +	kfree(plain);
> +	return code;
>  }
> -- 
> 2.17.2