From patchwork Fri Oct 6 01:41:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Herbert Xu X-Patchwork-Id: 13410921 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8C9A6E92FC5 for ; Fri, 6 Oct 2023 01:42:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1696556532; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=3cQWCGAG6SqZoUjIfijhQnxjdcbqAJs7waWSgEe4f3Q=; b=Pwhqj1dTvrPqEFu5XYzekgeyIYPk+SFoFGHi1yOTVH3Hb+/XcLf5olj8/Wp2pg39uFQr+e y3mimcfOuT8LQCTJkV4XKr1mhA3pNsOUExnaZKHAw0yU+rdb8SMRfxU2OmpFhvnXpTxlWV Mj89r3deVi/bJug7X4TBaRsJMOcDfI8= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-206-JVlGJCHoO02bL2Hp7UWizg-1; Thu, 05 Oct 2023 21:42:09 -0400 X-MC-Unique: JVlGJCHoO02bL2Hp7UWizg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 074B38030D4; Fri, 6 Oct 2023 01:42:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2777540C6EA8; Fri, 6 Oct 2023 01:42:03 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CBA2C19465A2; Fri, 6 Oct 2023 01:42:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id EE89B194658F for ; Fri, 6 Oct 2023 01:42:01 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 935C4442CB0; Fri, 6 Oct 2023 01:42:01 +0000 (UTC) Received: from abb.hmeau.com (unknown [10.67.24.162]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B63A47AD4A; Fri, 6 Oct 2023 01:42:01 +0000 (UTC) Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1qoZqh-0043of-2s; Fri, 06 Oct 2023 09:41:52 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Fri, 06 Oct 2023 09:41:55 +0800 Date: Fri, 6 Oct 2023 09:41:55 +0800 From: Herbert Xu To: Bagas Sanjaya , Linux Crypto Mailing List Message-ID: References: MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 Subject: [dm-devel] [PATCH] dm crypt: Fix reqsize in crypt_iv_eboiv_gen X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux Regressions , Tatu =?iso-8859-1?q?Hei?= =?iso-8859-1?q?kkil=E4?= , Mike Snitzer , Linux Kernel Mailing List , Linux Device Mapper , Alasdair Kergon Errors-To: dm-devel-bounces@redhat.com Sender: "dm-devel" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: gondor.apana.org.au Content-Disposition: inline On Fri, Oct 06, 2023 at 08:04:18AM +0700, Bagas Sanjaya wrote: > > > Git bisect lead me to: > > # first bad commit: [e3023094dffb41540330fb0c74cd3a019cd525c2] dm crypt: > > Avoid using MAX_CIPHER_BLOCKSIZE > > > > If I git revert e3023094dffb41540330fb0c74cd3a019cd525c2 on current Linus' > > git master, the issue goes away. So I'm personally not all that affected > > anymore (if I'm ready to compile my kernels from now on), and I understand > > that you have no clear way to reproduce this as it seems strongly bound to > > hardware, but seems like this could point to a potentially serious security > > issue since it involves both crypto and undefined behaviour. Thanks for the report. Sorry this is indeed my fault. The allocated buffer is too small as it's missing the size for the request object itself. Mike, would you be OK with me picking this fix up and pushing it to Linus? Cheers, ---8<--- A skcipher_request object is made up of struct skcipher_request followed by a variable-sized trailer. The allocation of the skcipher_request and IV in crypt_iv_eboiv_gen is missing the memory for struct skcipher_request. Fix it by adding it to reqsize. Fixes: e3023094dffb ("dm crypt: Avoid using MAX_CIPHER_BLOCKSIZE") Reported-by: Tatu Heikkil� Signed-off-by: Herbert Xu Reviewed-by: Mike Mike Snitzer diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index f2662c21a6df..5315fd261c23 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -753,7 +753,8 @@ static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv, int err; u8 *buf; - reqsize = ALIGN(crypto_skcipher_reqsize(tfm), __alignof__(__le64)); + reqsize = sizeof(*req) + crypto_skcipher_reqsize(tfm); + reqsize = ALIGN(reqsize, __alignof__(__le64)); req = kmalloc(reqsize + cc->iv_size, GFP_NOIO); if (!req)