Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp15241670rwb; Mon, 28 Nov 2022 09:21:02 -0800 (PST) X-Google-Smtp-Source: AA0mqf5Iw+Oe9qsZlMjHDVHTVL0sIZxc9x/tYeSZaVIdB/BQkB2gVfPR6uNZoKkBQUI99O96quIc X-Received: by 2002:a05:6402:100b:b0:461:f1c6:1f22 with SMTP id c11-20020a056402100b00b00461f1c61f22mr34664703edu.95.1669656062454; Mon, 28 Nov 2022 09:21:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669656062; cv=none; d=google.com; s=arc-20160816; b=fTPH66oi3C67jPYnkuBODcehYLC4gjlTXmzBce7DHhM3xlHxMnDbc/JeWycmSk/5eJ VRy8xVnAr06x+Cw213Hc8lTpc4uD7YmFeDAcWv4z5YU3acyBvwVw0sZCqEf7b8rYslE8 SPyqOSsBVFTqn20yBadERKoMSWD3ZnyO2PaEFSKD0O6/JEFCfwU8VsqgW29kAf1lWns2 d4daK/dms6ZvORGVAiHUnqRh+yJNbdb5NglVhTqYc5UKpi35YiVNEY4I24rYrPd4wJ99 BZWbY5DXMC0nXXTN8uSzgxWugdE+CBE3tP9JOB36tbciBm2iSBKjV0E6s0NLEfW2f63E pcAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:to:from :subject:message-id:dkim-signature; bh=2URlGLfDoVG7hUiFpG7KzTYT2S0mgAAkrrKMQh/B/1U=; b=uFh5eXmeI+pDT6NTuSKYdNsN+ZzA0zmXdqUsVZ7/k2Y7K/TQwr8dEiXO0RsTVQXqNi r93NfO3oI9hoLXM8H6FCFMoGxMGh1LrVO6GeDg1fS1M+5z9uge9ow3qYswjLC3WxyvPr hqFG47G3iEcFkj+c3zl8r3bbtI1MqUwr8mOcAf8yEHBF/XcfFkkljdmVSjAwEUEvbDje 12dS+Z58m7Ftqka5e1XVYv252ZFSjpRVWWl9x0L8axpYR3GrUd+vEEawqEROa2hRr16Z 5bvgXoXcbdoKSvRC2dNfjzxduuVElTpnB+4a6DmWWPtGeoUHwTFNrmkBl7ckkyTWSXco NqPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=R4ANSpQY; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cs17-20020a170906dc9100b00780def41dc4si10395633ejc.527.2022.11.28.09.20.35; Mon, 28 Nov 2022 09:21:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=R4ANSpQY; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232651AbiK1ROD (ORCPT + 99 others); Mon, 28 Nov 2022 12:14:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232512AbiK1ROB (ORCPT ); Mon, 28 Nov 2022 12:14:01 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6CCD1BE9C for ; Mon, 28 Nov 2022 09:13:59 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CC9ECB80E72 for ; Mon, 28 Nov 2022 17:13:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 26339C433C1; Mon, 28 Nov 2022 17:13:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1669655636; bh=Z3D+awR9tDnQn1SA5vFOdIdzhwSS8huyDGSOLQHb7H4=; h=Subject:From:To:Date:In-Reply-To:References:From; b=R4ANSpQY8bXAgcBRMytrNWjEziQdkfv2H1rXaGVftyzAML/K0n1CMgkKdLGGLr/45 M/akxguLCntUZFoExCyrlX2Q4C+RmlNmP1mE9AQexpYi9NHB4D0zRmcDj/PNMZoNzI 4zpydXFa2U7UKl8J0STpCinLWpwRzN+ULT+JxKCiU3yMM6CzxgKDQaLPPzcWCV8rNN cFohVi6QF1GnMACAhUKMEKbrqlgjvmZDH+Y3W/VdLx94jh2FtrbVX2KYgZdRVsFkwk zVaHcPjd13znTpAnDHLpOgsvr8lxW9T1D6yMD2nVvKiPGiGqk7gjd7jhB1Jd/Wh3h+ 2KVAHSDk/Z8TA== Message-ID: Subject: Re: [PATCH] SUNRPC: Fix crasher in unwrap_integ_data() From: Jeff Layton To: Chuck Lever , linux-nfs@vger.kernel.org Date: Mon, 28 Nov 2022 12:13:54 -0500 In-Reply-To: References: <166956944745.113279.2771726273440100988.stgit@klimt.1015granger.net> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.1 (3.46.1-1.fc37) MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, 2022-11-28 at 12:12 -0500, Jeff Layton wrote: > On Sun, 2022-11-27 at 12:17 -0500, Chuck Lever wrote: > > If a zero length is passed to kmalloc() it returns 0x10, which is > > not a valid address. gss_verify_mic() subsequently crashes when it > > attempts to dereference that pointer. > >=20 > > Instead of allocating this memory on every call based on an > > untrusted size value, use a piece of dynamically-allocated scratch > > memory that is always available. > >=20 > > Signed-off-by: Chuck Lever > > --- > > net/sunrpc/auth_gss/svcauth_gss.c | 55 ++++++++++++++++++++++-------= -------- > > 1 file changed, 32 insertions(+), 23 deletions(-) > >=20 > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/sv= cauth_gss.c > > index 9a5db285d4ae..148bb0a7fa5b 100644 > > --- a/net/sunrpc/auth_gss/svcauth_gss.c > > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > > @@ -49,11 +49,36 @@ > > #include > > #include > > #include > > +#include > > =20 > > #include > > =20 > > #include "gss_rpc_upcall.h" > > =20 > > +/* > > + * Unfortunately there isn't a maximum checksum size exported via the > > + * GSS API. Manufacture one based on GSS mechanisms supported by this > > + * implementation. > > + */ > > +#define GSS_MAX_CKSUMSIZE (GSS_KRB5_TOK_HDR_LEN + GSS_KRB5_MAX_CKSUM_L= EN) > > + > > +/* > > + * This value may be increased in the future to accommodate other > > + * usage of the scratch buffer. > > + */ > > +#define GSS_SCRATCH_SIZE GSS_MAX_CKSUMSIZE > > + > > +struct gss_svc_data { > > + /* decoded gss client cred: */ > > + struct rpc_gss_wire_cred clcred; > > + /* save a pointer to the beginning of the encoded verifier, > > + * for use in encryption/checksumming in svcauth_gss_release: */ > > + __be32 *verf_start; > > + struct rsc *rsci; > > + > > + /* for temporary results */ > > + u8 gsd_scratch[GSS_SCRATCH_SIZE]; > > +}; > > =20 > > /* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT r= equests > > * into replies. > > @@ -887,13 +912,11 @@ read_u32_from_xdr_buf(struct xdr_buf *buf, int ba= se, u32 *obj) > > static int > > unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq= , struct gss_ctx *ctx) > > { > > + struct gss_svc_data *gsd =3D rqstp->rq_auth_data; > > u32 integ_len, rseqno, maj_stat; > > - int stat =3D -EINVAL; > > struct xdr_netobj mic; > > struct xdr_buf integ_buf; > > =20 > > - mic.data =3D NULL; > > - > > /* NFS READ normally uses splice to send data in-place. However > > * the data in cache can change after the reply's MIC is computed > > * but before the RPC reply is sent. To prevent the client from > > @@ -917,11 +940,9 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct x= dr_buf *buf, u32 seq, struct g > > /* copy out mic... */ > > if (read_u32_from_xdr_buf(buf, integ_len, &mic.len)) > > goto unwrap_failed; > > - if (mic.len > RPC_MAX_AUTH_SIZE) > > - goto unwrap_failed; > > - mic.data =3D kmalloc(mic.len, GFP_KERNEL); > > - if (!mic.data) > > + if (mic.len > sizeof(gsd->gsd_scratch)) > > goto unwrap_failed; > > + mic.data =3D gsd->gsd_scratch; > > if (read_bytes_from_xdr_buf(buf, integ_len + 4, mic.data, mic.len)) > > goto unwrap_failed; > > maj_stat =3D gss_verify_mic(ctx, &integ_buf, &mic); > > @@ -932,20 +953,17 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct = xdr_buf *buf, u32 seq, struct g > > goto bad_seqno; > > /* trim off the mic and padding at the end before returning */ > > xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4); > > - stat =3D 0; > > -out: > > - kfree(mic.data); > > - return stat; > > + return 0; > > =20 > > unwrap_failed: > > trace_rpcgss_svc_unwrap_failed(rqstp); > > - goto out; > > + return -EINVAL; > > bad_seqno: > > trace_rpcgss_svc_seqno_bad(rqstp, seq, rseqno); > > - goto out; > > + return -EINVAL; > > bad_mic: > > trace_rpcgss_svc_mic(rqstp, maj_stat); > > - goto out; > > + return -EINVAL; > > } > > =20 > > static inline int > > @@ -1023,15 +1041,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct = xdr_buf *buf, u32 seq, struct gs > > return -EINVAL; > > } > > =20 > > -struct gss_svc_data { > > - /* decoded gss client cred: */ > > - struct rpc_gss_wire_cred clcred; > > - /* save a pointer to the beginning of the encoded verifier, > > - * for use in encryption/checksumming in svcauth_gss_release: */ > > - __be32 *verf_start; > > - struct rsc *rsci; > > -}; > > - > > static int > > svcauth_gss_set_client(struct svc_rqst *rqstp) > > { > >=20 > >=20 >=20 > That makes a lot more sense! >=20 > Reviewed-by: Jeff Layton How did you find this, btw? Is there a bug report or something? --=20 Jeff Layton