From patchwork Sun May 28 08:12:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Hellwig X-Patchwork-Id: 9752493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 02E8F602CC for ; Sun, 28 May 2017 12:06:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D656927F7F for ; Sun, 28 May 2017 12:06:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C7F822845D; Sun, 28 May 2017 12:06:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id B6D4E27F7F for ; Sun, 28 May 2017 12:06:03 +0000 (UTC) Received: (qmail 28193 invoked by uid 550); 28 May 2017 12:06:02 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Delivered-To: moderator for kernel-hardening@lists.openwall.com Received: (qmail 1828 invoked from network); 28 May 2017 08:13:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PQ2JQxoCc+YSvZCGIbb1KJY/wz2LuwRKbYuw4NqGfLI=; b=qpQswztdAWEq0qamZbqxzSdqk ecjNwDUU+vt1u6tpVxlEar1tz2pIq9SL3KuxR8Uh1OtT+NPjdfOc6b5Js6mvfFN8/OwCXIQNosyGy piaWNWDaFEYqENgNNcSkVPAeEFcFzUgEI8n/vr5STSGFMRjdwWgN6YwwzWM/hIvszky+JbnlMoCUj 3Jipc0GaJgQZDudGKaLuRK+7bKjIGOv6s3cNcrjKBwgAi6YyteQczFt2CFCf2Ge06xLrsjxuaF/oi Jod9npzL/gFQEd8ij7qYIv4iBvGVocmitKizgm08CurOcxFjP6t8JeU8J/r7VhB8+YPUmwXB1qf5V 1NcuHyH+g==; Date: Sun, 28 May 2017 01:12:49 -0700 From: Christoph Hellwig To: Kees Cook Cc: kernel-hardening@lists.openwall.com, David Howells , Laura Abbott , x86@kernel.org, linux-kernel@vger.kernel.org Message-ID: <20170528081249.GD22193@infradead.org> References: <1495829844-69341-1-git-send-email-keescook@chromium.org> <1495829844-69341-8-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1495829844-69341-8-git-send-email-keescook@chromium.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Subject: [kernel-hardening] Re: [PATCH v2 07/20] randstruct: Whitelist big_key path struct overloading X-Virus-Scanned: ClamAV using ClamSMTP What about the untested patch below to just fix the issue? Reviewed-by: Kees Cook --- From e9eb519c854d2f3d16a4def492577a883246e290 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Sun, 28 May 2017 11:03:34 +0300 Subject: security/keys: don't cast union key_payload Instead store the individual pointers in struct path. Signed-off-by: Christoph Hellwig --- security/keys/big_key.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/security/keys/big_key.c b/security/keys/big_key.c index 835c1ab30d01..06f2cd07dbd7 100644 --- a/security/keys/big_key.c +++ b/security/keys/big_key.c @@ -26,8 +26,8 @@ */ enum { big_key_data, - big_key_path, - big_key_path_2nd_part, + big_key_path_mnt, + big_key_path_dentry, big_key_len, }; @@ -118,12 +118,16 @@ static int big_key_crypt(enum big_key_op op, u8 *data, size_t datalen, u8 *key) return ret; } +#define PATH_FROM_PAYLOAD(p) { \ + .mnt = (p)->data[big_key_path_mnt], \ + .dentry = (p)->data[big_key_path_dentry], \ +} + /* * Preparse a big key */ int big_key_preparse(struct key_preparsed_payload *prep) { - struct path *path = (struct path *)&prep->payload.data[big_key_path]; struct file *file; u8 *enckey; u8 *data = NULL; @@ -190,9 +194,10 @@ int big_key_preparse(struct key_preparsed_payload *prep) /* Pin the mount and dentry to the key so that we can open it again * later */ + path_get(&file->f_path); prep->payload.data[big_key_data] = enckey; - *path = file->f_path; - path_get(path); + prep->payload.data[big_key_path_mnt] = file->f_path.mnt; + prep->payload.data[big_key_path_dentry] = file->f_path.dentry; fput(file); kfree(data); } else { @@ -222,9 +227,9 @@ int big_key_preparse(struct key_preparsed_payload *prep) void big_key_free_preparse(struct key_preparsed_payload *prep) { if (prep->datalen > BIG_KEY_FILE_THRESHOLD) { - struct path *path = (struct path *)&prep->payload.data[big_key_path]; + struct path path = PATH_FROM_PAYLOAD(&prep->payload); - path_put(path); + path_put(&path); } kfree(prep->payload.data[big_key_data]); } @@ -235,13 +240,13 @@ void big_key_free_preparse(struct key_preparsed_payload *prep) */ void big_key_revoke(struct key *key) { - struct path *path = (struct path *)&key->payload.data[big_key_path]; + struct path path = PATH_FROM_PAYLOAD(&key->payload); /* clear the quota */ key_payload_reserve(key, 0); if (key_is_instantiated(key) && (size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD) - vfs_truncate(path, 0); + vfs_truncate(&path, 0); } /* @@ -252,11 +257,11 @@ void big_key_destroy(struct key *key) size_t datalen = (size_t)key->payload.data[big_key_len]; if (datalen > BIG_KEY_FILE_THRESHOLD) { - struct path *path = (struct path *)&key->payload.data[big_key_path]; + struct path path = PATH_FROM_PAYLOAD(&key->payload); - path_put(path); - path->mnt = NULL; - path->dentry = NULL; + path_put(&path); + key->payload.data[big_key_path_mnt] = NULL; + key->payload.data[big_key_path_dentry] = NULL; } kfree(key->payload.data[big_key_data]); key->payload.data[big_key_data] = NULL; @@ -290,7 +295,7 @@ long big_key_read(const struct key *key, char __user *buffer, size_t buflen) return datalen; if (datalen > BIG_KEY_FILE_THRESHOLD) { - struct path *path = (struct path *)&key->payload.data[big_key_path]; + struct path path = PATH_FROM_PAYLOAD(&key->payload); struct file *file; u8 *data; u8 *enckey = (u8 *)key->payload.data[big_key_data]; @@ -300,7 +305,7 @@ long big_key_read(const struct key *key, char __user *buffer, size_t buflen) if (!data) return -ENOMEM; - file = dentry_open(path, O_RDONLY, current_cred()); + file = dentry_open(&path, O_RDONLY, current_cred()); if (IS_ERR(file)) { ret = PTR_ERR(file); goto error;