• Eric Biggers's avatar
    fscrypt: remove broken support for detecting keyring key revocation · 1b53cf98
    Eric Biggers authored
    Filesystem encryption ostensibly supported revoking a keyring key that
    had been used to "unlock" encrypted files, causing those files to become
    "locked" again.  This was, however, buggy for several reasons, the most
    severe of which was that when key revocation happened to be detected for
    an inode, its fscrypt_info was immediately freed, even while other
    threads could be using it for encryption or decryption concurrently.
    This could be exploited to crash the kernel or worse.
    
    This patch fixes the use-after-free by removing the code which detects
    the keyring key having been revoked, invalidated, or expired.  Instead,
    an encrypted inode that is "unlocked" now simply remains unlocked until
    it is evicted from memory.  Note that this is no worse than the case for
    block device-level encryption, e.g. dm-crypt, and it still remains
    possible for a privileged user to evict unused pages, inodes, and
    dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
    simply unmounting the filesystem.  In fact, one of those actions was
    already needed anyway for key revocation to work even somewhat sanely.
    This change is not expected to break any applications.
    
    In the future I'd like to implement a real API for fscrypt key
    revocation that interacts sanely with ongoing filesystem operations ---
    waiting for existing operations to complete and blocking new operations,
    and invalidating and sanitizing key material and plaintext from the VFS
    caches.  But this is a hard problem, and for now this bug must be fixed.
    
    This bug affected almost all versions of ext4, f2fs, and ubifs
    encryption, and it was potentially reachable in any kernel configured
    with encryption support (CONFIG_EXT4_ENCRYPTION=y,
    CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
    CONFIG_UBIFS_FS_ENCRYPTION=y).  Note that older kernels did not use the
    shared fs/crypto/ code, but due to the potential security implications
    of this bug, it may still be worthwhile to backport this fix to them.
    
    Fixes: b7236e21 ("ext4 crypto: reorganize how we store keys in the inode")
    Cc: stable@vger.kernel.org # v4.2+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Acked-by: default avatarMichael Halcrow <mhalcrow@google.com>
    1b53cf98
crypto.c 13.6 KB