• Eric Biggers's avatar
    KEYS: encrypted: avoid encrypting/decrypting stack buffers · 7e4c3a6d
    Eric Biggers authored
    commit e9ff56ac upstream.
    
    Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
    stack buffers because the stack may be virtually mapped.  Fix this for
    the padding buffers in encrypted-keys by using ZERO_PAGE for the
    encryption padding and by allocating a temporary heap buffer for the
    decryption padding.
    
    Tested with CONFIG_DEBUG_SG=y:
    	keyctl new_session
    	keyctl add user master "abcdefghijklmnop" @s
    	keyid=$(keyctl add encrypted desc "new user:master 25" @s)
    	datablob="$(keyctl pipe $keyid)"
    	keyctl unlink $keyid
    	keyid=$(keyctl add encrypted desc "load $datablob" @s)
    	datablob2="$(keyctl pipe $keyid)"
    	[ "$datablob" = "$datablob2" ] && echo "Success!"
    
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    7e4c3a6d
encrypted.c 26.7 KB