Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2878770ybb; Sun, 5 Apr 2020 19:39:11 -0700 (PDT) X-Google-Smtp-Source: APiQypJc5c9OgO5tSUdP+qqXD8AE9HO+wGbRfNPGts/o6ZHQGH+E9QU0tEgyqDJQ3unquliGivbG X-Received: by 2002:a4a:e78b:: with SMTP id x11mr15836302oov.45.1586140751660; Sun, 05 Apr 2020 19:39:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586140751; cv=none; d=google.com; s=arc-20160816; b=ix7jmW6WigUuSnTsM/EPIiTrsG+RgBr3Qb3nFwarjw3d2vPWbYBiMHbT/N6+/NDXOy 24n0O56WNaC5A57rM4BJHHXp3BEGcLC4qBCqqFh/xF8eK54v0vje+EVI3hA99ejMk0KM NY2c2812ZWajCUwNdscsd904EN90NiuqxtGDyv7DpnIdrun85I4A0A5yrMyd3tBXRGH+ /ydMM2fUZGazkop5FV4Qxi+knvSjYvhAfxpJu9T3Qw6dswKfMwc6gzndiljTCTADSZl5 UasRooqNC8TWZxhRo/ZGFVjIg4JsnT4+hC5GZ0YsVwEeXnSlNiZzHyZTHFyJyFdfuXe5 5Syw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=3j6/xWR+/y23CIGLVS1aOs+gMcx6PTwUHS8ah6Kg6mM=; b=DxEAASgLDKCRbzROcOuI1RsqmnKHZdwB5rrccbqDVxgkE4BIJX3U+za/CTEI1hoqGA xvk2L26AL+zy+4j81TtV5C2y0H+fTPMJfWwopQ4vdwfnWutyO3b/LEaWjEtyHzlEQOLS sQdQgRLiNuXEB6gEvHDsHSzXhwTdfKesGwtQ5yv8LvmK0ehKq3E+Oy+SIXBB4csqo2l1 ZlQV2kyx0t2/NE6b/BhcxreGnSOTKWwBgMXMNi8+1HE+EzkLR/8xWKp4aHa7F51h6hNI tNVQzHFRdweciPMkF/QnlE2T6YbvcKUhq1q81JZfPX7yiLQVy/UYy0rU30DUQtVObCma L3JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=N1cpmN3c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t8si7444939oth.204.2020.04.05.19.38.59; Sun, 05 Apr 2020 19:39:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=N1cpmN3c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726494AbgDFChn (ORCPT + 99 others); Sun, 5 Apr 2020 22:37:43 -0400 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:21108 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726444AbgDFChn (ORCPT ); Sun, 5 Apr 2020 22:37:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586140662; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=3j6/xWR+/y23CIGLVS1aOs+gMcx6PTwUHS8ah6Kg6mM=; b=N1cpmN3cJNUAm9BoVeNRidOXhpJs9WofQgHLEDwt5JlTowYg4CxIFmFSbsbhESDi5+kKxq MzTCYUhjVg2gBkUOKTNSIEtKSYFOXHN74q4oJgi788z8cAt1o/6z/+2MNoYZXr9riXJnZh gxPrLE/vkmQa+YY2XY9726VfhYWi/Bg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-433-8G4g1HmhMgKfrjtv31jIVQ-1; Sun, 05 Apr 2020 22:37:38 -0400 X-MC-Unique: 8G4g1HmhMgKfrjtv31jIVQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2A8B519067E3; Mon, 6 Apr 2020 02:37:37 +0000 (UTC) Received: from llong.com (ovpn-112-57.rdu2.redhat.com [10.10.112.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id D7A91277A4; Mon, 6 Apr 2020 02:37:28 +0000 (UTC) From: Waiman Long To: Andrew Morton , David Howells , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" Cc: linux-mm@kvack.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Linus Torvalds , Waiman Long Subject: [PATCH] mm: Add kvfree_sensitive() for freeing sensitive data objects Date: Sun, 5 Apr 2020 22:37:00 -0400 Message-Id: <20200406023700.1367-1-longman@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org For kvmalloc'ed data object that contains sensitive information like cryptographic key, we need to make sure that the buffer is always cleared before freeing it. Using memset() alone for buffer clearing may not provide certainty as the compiler may compile it away. To be sure, the special memzero_explicit() has to be used. This patch introduces a new kvfree_sensitive() for freeing those sensitive data objects allocated by kvmalloc(). The relevnat places where kvfree_sensitive() can be used are modified to use it. Fixes: 4f0882491a14 ("KEYS: Avoid false positive ENOMEM error on key read") Suggested-by: Linus Torvalds Signed-off-by: Waiman Long --- include/linux/mm.h | 17 +++++++++++++++++ security/keys/internal.h | 11 ----------- security/keys/keyctl.c | 16 +++++----------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7dd5c4ccbf85..c26f279f1956 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -758,6 +758,23 @@ static inline void *kvcalloc(size_t n, size_t size, gfp_t flags) extern void kvfree(const void *addr); +/** + * kvfree_sensitive - free a data object containing sensitive information + * @addr - address of the data object to be freed + * @len - length of the data object + * + * Use the special memzero_explicit() function to clear the content of a + * kvmalloc'ed object containing sensitive data to make sure that the + * compiler won't optimize out the data clearing. + */ +static inline void kvfree_sensitive(const void *addr, size_t len) +{ + if (addr) { + memzero_explicit((void *)addr, len); + kvfree(addr); + } +} + static inline int compound_mapcount(struct page *page) { VM_BUG_ON_PAGE(!PageCompound(page), page); diff --git a/security/keys/internal.h b/security/keys/internal.h index 6d0ca48ae9a5..153d35c20d3d 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -350,15 +350,4 @@ static inline void key_check(const struct key *key) #define key_check(key) do {} while(0) #endif - -/* - * Helper function to clear and free a kvmalloc'ed memory object. - */ -static inline void __kvzfree(const void *addr, size_t len) -{ - if (addr) { - memset((void *)addr, 0, len); - kvfree(addr); - } -} #endif /* _INTERNAL_H */ diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 5e01192e222a..edde63a63007 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -142,10 +142,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, key_ref_put(keyring_ref); error3: - if (payload) { - memzero_explicit(payload, plen); - kvfree(payload); - } + kvfree_sensitive(payload, plen); error2: kfree(description); error: @@ -360,7 +357,7 @@ long keyctl_update_key(key_serial_t id, key_ref_put(key_ref); error2: - __kvzfree(payload, plen); + kvfree_sensitive(payload, plen); error: return ret; } @@ -914,7 +911,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) */ if (ret > key_data_len) { if (unlikely(key_data)) - __kvzfree(key_data, key_data_len); + kvfree_sensitive(key_data, key_data_len); key_data_len = ret; continue; /* Allocate buffer */ } @@ -923,7 +920,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) ret = -EFAULT; break; } - __kvzfree(key_data, key_data_len); + kvfree_sensitive(key_data, key_data_len); key_put_out: key_put(key); @@ -1225,10 +1222,7 @@ long keyctl_instantiate_key_common(key_serial_t id, keyctl_change_reqkey_auth(NULL); error2: - if (payload) { - memzero_explicit(payload, plen); - kvfree(payload); - } + kvfree_sensitive(payload, plen); error: return ret; } -- 2.18.1