From: Christoph Hellwig <hch@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com,
David Howells <dhowells@redhat.com>,
Laura Abbott <labbott@redhat.com>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 07/20] randstruct: Whitelist big_key path struct overloading
Date: Sun, 28 May 2017 01:12:49 -0700 [thread overview]
Message-ID: <20170528081249.GD22193@infradead.org> (raw)
In-Reply-To: <1495829844-69341-8-git-send-email-keescook@chromium.org>
What about the untested patch below to just fix the issue?
---
>From e9eb519c854d2f3d16a4def492577a883246e290 Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Sun, 28 May 2017 11:03:34 +0300
Subject: security/keys: don't cast union key_payload
Instead store the individual pointers in struct path.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
security/keys/big_key.c | 35 ++++++++++++++++++++---------------
1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/security/keys/big_key.c b/security/keys/big_key.c
index 835c1ab30d01..06f2cd07dbd7 100644
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -26,8 +26,8 @@
*/
enum {
big_key_data,
- big_key_path,
- big_key_path_2nd_part,
+ big_key_path_mnt,
+ big_key_path_dentry,
big_key_len,
};
@@ -118,12 +118,16 @@ static int big_key_crypt(enum big_key_op op, u8 *data, size_t datalen, u8 *key)
return ret;
}
+#define PATH_FROM_PAYLOAD(p) { \
+ .mnt = (p)->data[big_key_path_mnt], \
+ .dentry = (p)->data[big_key_path_dentry], \
+}
+
/*
* Preparse a big key
*/
int big_key_preparse(struct key_preparsed_payload *prep)
{
- struct path *path = (struct path *)&prep->payload.data[big_key_path];
struct file *file;
u8 *enckey;
u8 *data = NULL;
@@ -190,9 +194,10 @@ int big_key_preparse(struct key_preparsed_payload *prep)
/* Pin the mount and dentry to the key so that we can open it again
* later
*/
+ path_get(&file->f_path);
prep->payload.data[big_key_data] = enckey;
- *path = file->f_path;
- path_get(path);
+ prep->payload.data[big_key_path_mnt] = file->f_path.mnt;
+ prep->payload.data[big_key_path_dentry] = file->f_path.dentry;
fput(file);
kfree(data);
} else {
@@ -222,9 +227,9 @@ int big_key_preparse(struct key_preparsed_payload *prep)
void big_key_free_preparse(struct key_preparsed_payload *prep)
{
if (prep->datalen > BIG_KEY_FILE_THRESHOLD) {
- struct path *path = (struct path *)&prep->payload.data[big_key_path];
+ struct path path = PATH_FROM_PAYLOAD(&prep->payload);
- path_put(path);
+ path_put(&path);
}
kfree(prep->payload.data[big_key_data]);
}
@@ -235,13 +240,13 @@ void big_key_free_preparse(struct key_preparsed_payload *prep)
*/
void big_key_revoke(struct key *key)
{
- struct path *path = (struct path *)&key->payload.data[big_key_path];
+ struct path path = PATH_FROM_PAYLOAD(&key->payload);
/* clear the quota */
key_payload_reserve(key, 0);
if (key_is_instantiated(key) &&
(size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD)
- vfs_truncate(path, 0);
+ vfs_truncate(&path, 0);
}
/*
@@ -252,11 +257,11 @@ void big_key_destroy(struct key *key)
size_t datalen = (size_t)key->payload.data[big_key_len];
if (datalen > BIG_KEY_FILE_THRESHOLD) {
- struct path *path = (struct path *)&key->payload.data[big_key_path];
+ struct path path = PATH_FROM_PAYLOAD(&key->payload);
- path_put(path);
- path->mnt = NULL;
- path->dentry = NULL;
+ path_put(&path);
+ key->payload.data[big_key_path_mnt] = NULL;
+ key->payload.data[big_key_path_dentry] = NULL;
}
kfree(key->payload.data[big_key_data]);
key->payload.data[big_key_data] = NULL;
@@ -290,7 +295,7 @@ long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
return datalen;
if (datalen > BIG_KEY_FILE_THRESHOLD) {
- struct path *path = (struct path *)&key->payload.data[big_key_path];
+ struct path path = PATH_FROM_PAYLOAD(&key->payload);
struct file *file;
u8 *data;
u8 *enckey = (u8 *)key->payload.data[big_key_data];
@@ -300,7 +305,7 @@ long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
if (!data)
return -ENOMEM;
- file = dentry_open(path, O_RDONLY, current_cred());
+ file = dentry_open(&path, O_RDONLY, current_cred());
if (IS_ERR(file)) {
ret = PTR_ERR(file);
goto error;
--
2.11.0
next prev parent reply other threads:[~2017-05-28 8:13 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-26 20:17 [PATCH v2 00/20] Introduce struct layout randomization plugin Kees Cook
2017-05-26 20:17 ` [PATCH v2 01/20] NFS: Avoid cross-structure casting Kees Cook
2017-05-28 7:53 ` Christoph Hellwig
2017-05-28 16:55 ` Kees Cook
2017-05-26 20:17 ` [PATCH v2 02/20] gcc-plugins: Detail c-common.h location for GCC 4.6 Kees Cook
2017-05-26 20:17 ` [PATCH v2 03/20] compiler: Add __designated_init annotation Kees Cook
2017-05-26 20:17 ` [PATCH v2 04/20] gcc-plugins: Add the randstruct plugin Kees Cook
2017-06-29 22:08 ` Arnd Bergmann
2017-06-29 22:53 ` Kees Cook
2017-06-30 0:04 ` Kees Cook
2017-06-30 7:35 ` Arnd Bergmann
2017-06-30 7:55 ` Ard Biesheuvel
2017-06-30 8:27 ` Arnd Bergmann
2017-06-30 14:41 ` Kees Cook
2017-06-30 15:22 ` Arnd Bergmann
2017-05-26 20:17 ` [PATCH v2 05/20] randstruct: Whitelist struct security_hook_heads cast Kees Cook
2017-05-27 8:41 ` Christoph Hellwig
2017-05-27 20:09 ` Kees Cook
2017-05-27 22:04 ` Tetsuo Handa
2017-05-28 0:43 ` [kernel-hardening] " Kees Cook
2017-05-30 10:34 ` James Morris
2017-05-26 20:17 ` [PATCH v2 06/20] randstruct: Whitelist UNIXCB cast Kees Cook
2017-05-26 20:20 ` Kees Cook
2017-05-28 7:56 ` Christoph Hellwig
2017-05-26 20:17 ` [PATCH v2 07/20] randstruct: Whitelist big_key path struct overloading Kees Cook
2017-05-28 8:12 ` Christoph Hellwig [this message]
2017-05-28 16:59 ` Kees Cook
2017-06-19 19:24 ` Kees Cook
2017-09-07 7:20 ` Christoph Hellwig
2017-09-07 22:55 ` Kees Cook
2017-05-26 20:17 ` [PATCH v2 08/20] randstruct: Whitelist NIU struct page overloading Kees Cook
2017-05-28 8:15 ` Christoph Hellwig
2017-05-28 17:35 ` Kees Cook
2017-05-28 17:37 ` Kees Cook
2017-05-26 20:17 ` [PATCH v2 09/20] randstruct: Mark various structs for randomization Kees Cook
2017-05-26 20:17 ` [PATCH v2 10/20] randstruct: opt-out externally exposed function pointer structs Kees Cook
2017-05-26 20:17 ` [PATCH v2 11/20] randstruct: Disable randomization of ACPICA structs Kees Cook
2017-05-27 8:42 ` Christoph Hellwig
2017-05-27 20:03 ` Kees Cook
2017-05-28 4:55 ` Christoph Hellwig
2017-05-26 20:17 ` [PATCH v2 12/20] sgi-xp: Use designated initializers Kees Cook
2017-05-27 8:44 ` Christoph Hellwig
2017-05-26 20:17 ` [PATCH v2 13/20] drm/amdgpu: " Kees Cook
2017-05-26 20:17 ` [PATCH v2 14/20] drm/amd/powerplay: " Kees Cook
2017-05-27 8:47 ` Christoph Hellwig
2017-05-27 20:10 ` Kees Cook
2017-05-26 20:17 ` [PATCH v2 15/20] mtk-vcodec: " Kees Cook
2017-05-26 20:17 ` [PATCH v2 16/20] ntfs: Use ERR_CAST() to avoid cross-structure cast Kees Cook
2017-05-26 20:17 ` [PATCH v2 17/20] ocfs2: " Kees Cook
2017-05-26 20:17 ` [PATCH v2 18/20] randstruct: Enable function pointer struct detection Kees Cook
2017-05-26 20:17 ` [PATCH v2 19/20] [RFC] task_struct: Allow randomized layout Kees Cook
2017-05-26 20:23 ` Linus Torvalds
2017-05-26 20:32 ` Kees Cook
2017-05-26 20:17 ` [PATCH v2 20/20] ACPICA: Use designated initializers Kees Cook
2017-05-28 7:45 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170528081249.GD22193@infradead.org \
--to=hch@infradead.org \
--cc=dhowells@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).