Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp10792634imu; Thu, 6 Dec 2018 06:55:00 -0800 (PST) X-Google-Smtp-Source: AFSGD/Xm6MnTWxFvkrnCKytI3dJrlZX+7fRqtZGr4/B2W6gUcE07bl5xH7XyhQv4f/vPk3h8Qong X-Received: by 2002:a63:cd17:: with SMTP id i23mr24081478pgg.13.1544108100784; Thu, 06 Dec 2018 06:55:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544108100; cv=none; d=google.com; s=arc-20160816; b=Gc9hEbO+A/gA2mpQyzSYj2EJgdhBxtpV9yuGnyae7Ie6ELLRNHd2q2NeNx8+XrBCgi LHpu6sRP/osQd55ezbIILpXmUxSDxSiqZv1qtAlaFvuhjERXvrsWeuX0uIafHGmut8w/ smmGHl2MPdLOf9HF35aFZTKsaAl8Ab7sIkqn9k6Ey//kdNWubsn+pucHnLzGU1lfXPM5 p45RVeEvg6KKaITGXhmwx4tdS6U3NaAqhRw/yQTV/3QmWh85pQ2UMdc8EiGO0n6X9HL0 esFYVd9JFrBn4zFpm0t+P4hw0O0KRf+qwiKL38XXDPYvoJvjkA/Kmeqz56uP3L9JiPfU 2/Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AWN99Z6hiisNtBi5rH0RWAdfqNbqYQ12IcarzF1oaII=; b=pWXyBAkWD68mmKBt8Qh+RhC3yuRG7P/hnKVjpgKdPNWbZNWhIXdPSeKGFL6oHveB0x 6W+iQ5kp2EzS3/omu1OnpQpvOss6sTt5DlVmdVbRxf7ytjnUAyw3zeENYITB4AzsqRnk TkQ2EFxj7XFEFcyIM+9i5A6gtlnNz2twQbE9Dk3GQtn9Zb8mki4PAlDXs7j2PTvP87Ug XgSgZHRLPFZgL8qUzR9QBjBLyl9SJsaMEN/pug6SjTs0u9USMb6/C2GgYO7fhOb83dGU PXFdhV4g8gAbjXOmSlmCydz9Y6VU0AqxFH7+JFu5G+cQt6LieDTWjxIK8oL3mU+tOlUM qglA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BvVn1xSt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si360957pgq.466.2018.12.06.06.54.45; Thu, 06 Dec 2018 06:55:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BvVn1xSt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726157AbeLFOwY (ORCPT + 99 others); Thu, 6 Dec 2018 09:52:24 -0500 Received: from mail.kernel.org ([198.145.29.99]:50864 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731189AbeLFOqJ (ORCPT ); Thu, 6 Dec 2018 09:46:09 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 010F320661; Thu, 6 Dec 2018 14:46:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544107568; bh=wKB4lH7HY4LwE6YVrSN19qerz8Arc4wjWPmdZkmUiZ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BvVn1xSt15YAiq39dss8zpVIBQk8fG0J1u4LAZLX8e0OAe1CdvfomzLTGg2jyhP4j IBEZuAsG6btwMqpGkDVqhM+zxYVusL7f+YmxxVu3VUZ+YUUWhBqMRmfVqzF4/94IPe XFjTMfl/W+3AZhjdUdjy98F74eHpS134/mkFhSAs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilya Dryomov , Sage Weil , Ben Hutchings Subject: [PATCH 4.9 055/101] libceph: implement CEPHX_V2 calculation mode Date: Thu, 6 Dec 2018 15:38:54 +0100 Message-Id: <20181206143014.720460465@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181206143011.174892052@linuxfoundation.org> References: <20181206143011.174892052@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ilya Dryomov commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. Derive the signature from the entire buffer (both AES cipher blocks) instead of using just the first half of the first block, leaving out data_crc entirely. This addresses CVE-2018-1129. Link: http://tracker.ceph.com/issues/24837 Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil [bwh: Backported to 4.9: - Define and test the feature bit in the old way - Don't change any other feature bits in ceph_features.h] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- include/linux/ceph/ceph_features.h | 4 + net/ceph/auth_x.c | 77 +++++++++++++++++++++++++++---------- 2 files changed, 61 insertions(+), 20 deletions(-) --- a/include/linux/ceph/ceph_features.h +++ b/include/linux/ceph/ceph_features.h @@ -76,6 +76,7 @@ // duplicated since it was introduced at the same time as CEPH_FEATURE_CRUSH_TUNABLES5 #define CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING (1ULL<<58) /* New, v7 encoding */ #define CEPH_FEATURE_FS_FILE_LAYOUT_V2 (1ULL<<58) /* file_layout_t */ +#define CEPH_FEATURE_CEPHX_V2 (1ULL<<61) // *do not share this bit* /* * The introduction of CEPH_FEATURE_OSD_SNAPMAPPER caused the feature @@ -124,7 +125,8 @@ static inline u64 ceph_sanitize_features CEPH_FEATURE_MSGR_KEEPALIVE2 | \ CEPH_FEATURE_CRUSH_V4 | \ CEPH_FEATURE_CRUSH_TUNABLES5 | \ - CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING) + CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING | \ + CEPH_FEATURE_CEPHX_V2) #define CEPH_FEATURES_REQUIRED_DEFAULT \ (CEPH_FEATURE_NOSRCADDR | \ --- a/net/ceph/auth_x.c +++ b/net/ceph/auth_x.c @@ -8,6 +8,7 @@ #include #include +#include #include #include @@ -799,26 +800,64 @@ static int calc_signature(struct ceph_x_ __le64 *psig) { void *enc_buf = au->enc_buf; - struct { - __le32 len; - __le32 header_crc; - __le32 front_crc; - __le32 middle_crc; - __le32 data_crc; - } __packed *sigblock = enc_buf + ceph_x_encrypt_offset(); - int ret; - - sigblock->len = cpu_to_le32(4*sizeof(u32)); - sigblock->header_crc = msg->hdr.crc; - sigblock->front_crc = msg->footer.front_crc; - sigblock->middle_crc = msg->footer.middle_crc; - sigblock->data_crc = msg->footer.data_crc; - ret = ceph_x_encrypt(&au->session_key, enc_buf, CEPHX_AU_ENC_BUF_LEN, - sizeof(*sigblock)); - if (ret < 0) - return ret; + int ret; + + if (msg->con->peer_features & CEPH_FEATURE_CEPHX_V2) { + struct { + __le32 len; + __le32 header_crc; + __le32 front_crc; + __le32 middle_crc; + __le32 data_crc; + } __packed *sigblock = enc_buf + ceph_x_encrypt_offset(); + + sigblock->len = cpu_to_le32(4*sizeof(u32)); + sigblock->header_crc = msg->hdr.crc; + sigblock->front_crc = msg->footer.front_crc; + sigblock->middle_crc = msg->footer.middle_crc; + sigblock->data_crc = msg->footer.data_crc; + + ret = ceph_x_encrypt(&au->session_key, enc_buf, + CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock)); + if (ret < 0) + return ret; + + *psig = *(__le64 *)(enc_buf + sizeof(u32)); + } else { + struct { + __le32 header_crc; + __le32 front_crc; + __le32 front_len; + __le32 middle_crc; + __le32 middle_len; + __le32 data_crc; + __le32 data_len; + __le32 seq_lower_word; + } __packed *sigblock = enc_buf; + struct { + __le64 a, b, c, d; + } __packed *penc = enc_buf; + int ciphertext_len; + + sigblock->header_crc = msg->hdr.crc; + sigblock->front_crc = msg->footer.front_crc; + sigblock->front_len = msg->hdr.front_len; + sigblock->middle_crc = msg->footer.middle_crc; + sigblock->middle_len = msg->hdr.middle_len; + sigblock->data_crc = msg->footer.data_crc; + sigblock->data_len = msg->hdr.data_len; + sigblock->seq_lower_word = *(__le32 *)&msg->hdr.seq; + + /* no leading len, no ceph_x_encrypt_header */ + ret = ceph_crypt(&au->session_key, true, enc_buf, + CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock), + &ciphertext_len); + if (ret) + return ret; + + *psig = penc->a ^ penc->b ^ penc->c ^ penc->d; + } - *psig = *(__le64 *)(enc_buf + sizeof(u32)); return 0; }