* [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
@ 2026-05-23 16:52 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Chuck Lever @ 2026-05-23 16:52 UTC (permalink / raw)
To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
Cc: linux-nfs, Chuck Lever, Chris Mason
From: Chuck Lever <chuck.lever@oracle.com>
gss_krb5_verify_mic_v2() reads the token ID at ptr[0..1], the flags
byte at ptr[2], and padding at ptr[3..7], then passes
ptr + GSS_KRB5_TOK_HDR_LEN and cksum_len to gss_krb5_mic_build_sg().
None of these accesses check read_token->len first.
The minimum safe token size is GSS_KRB5_TOK_HDR_LEN (16) plus
ctx->krb5e->cksum_len (12-24, depending on the enctype). All callers
accept shorter tokens from the wire:
- gss_unwrap_resp_integ() enforces only an upper bound
(offset + len <= rcv_buf->len) before allocating
mic.data = kmalloc(len) and passing it to gss_verify_mic().
A malicious NFS server can therefore supply a short checksum
opaque, producing a small slab allocation that the Kerberos MIC
verifier reads past.
- gss_validate() enforces only len <= RPC_MAX_AUTH_SIZE (400)
before passing the wire-supplied length to
gss_validate_seqno_mic(), which constructs a mic xdr_netobj
and calls gss_verify_mic().
- svcauth_gss_verify_header() enforces only
checksum.len >= XDR_UNIT (4 bytes) before dispatching to
gss_verify_mic().
- svcauth_gss_unwrap_integ() checks only that the checksum fits
in gsd->gsd_scratch.
Add a length guard at the top of gss_krb5_verify_mic_v2(), before any
ptr[] access or scatterlist construction. Well-formed MIC tokens from
gss_krb5_get_mic_v2() already have exactly GSS_KRB5_TOK_HDR_LEN +
cksum_len bytes, so valid traffic is unaffected.
Reported-by: Chris Mason <clm@meta.com>
Fixes: de9c17eb4a91 ("gss_krb5: add support for new token formats in rfc4121")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/sunrpc/auth_gss/gss_krb5_unseal.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index b5fb70419faa..4d12d49434c2 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -89,6 +89,9 @@ gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
dprintk("RPC: %s\n", __func__);
+ if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
+ return GSS_S_DEFECTIVE_TOKEN;
+
memcpy(&be16_ptr, (char *) ptr, 2);
if (be16_to_cpu(be16_ptr) != KG2_TOK_MIC)
return GSS_S_DEFECTIVE_TOKEN;
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
@ 2026-05-24 10:47 ` Jeff Layton
2026-05-25 16:11 ` kernel test robot
2026-05-25 19:58 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: Jeff Layton @ 2026-05-24 10:47 UTC (permalink / raw)
To: Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey
Cc: linux-nfs, Chuck Lever, Chris Mason
On Sat, 2026-05-23 at 12:52 -0400, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> gss_krb5_verify_mic_v2() reads the token ID at ptr[0..1], the flags
> byte at ptr[2], and padding at ptr[3..7], then passes
> ptr + GSS_KRB5_TOK_HDR_LEN and cksum_len to gss_krb5_mic_build_sg().
> None of these accesses check read_token->len first.
>
> The minimum safe token size is GSS_KRB5_TOK_HDR_LEN (16) plus
> ctx->krb5e->cksum_len (12-24, depending on the enctype). All callers
> accept shorter tokens from the wire:
>
> - gss_unwrap_resp_integ() enforces only an upper bound
> (offset + len <= rcv_buf->len) before allocating
> mic.data = kmalloc(len) and passing it to gss_verify_mic().
> A malicious NFS server can therefore supply a short checksum
> opaque, producing a small slab allocation that the Kerberos MIC
> verifier reads past.
>
> - gss_validate() enforces only len <= RPC_MAX_AUTH_SIZE (400)
> before passing the wire-supplied length to
> gss_validate_seqno_mic(), which constructs a mic xdr_netobj
> and calls gss_verify_mic().
>
> - svcauth_gss_verify_header() enforces only
> checksum.len >= XDR_UNIT (4 bytes) before dispatching to
> gss_verify_mic().
>
> - svcauth_gss_unwrap_integ() checks only that the checksum fits
> in gsd->gsd_scratch.
>
> Add a length guard at the top of gss_krb5_verify_mic_v2(), before any
> ptr[] access or scatterlist construction. Well-formed MIC tokens from
> gss_krb5_get_mic_v2() already have exactly GSS_KRB5_TOK_HDR_LEN +
> cksum_len bytes, so valid traffic is unaffected.
>
> Reported-by: Chris Mason <clm@meta.com>
> Fixes: de9c17eb4a91 ("gss_krb5: add support for new token formats in rfc4121")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> net/sunrpc/auth_gss/gss_krb5_unseal.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
> index b5fb70419faa..4d12d49434c2 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
> @@ -89,6 +89,9 @@ gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
>
> dprintk("RPC: %s\n", __func__);
>
> + if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
> + return GSS_S_DEFECTIVE_TOKEN;
> +
> memcpy(&be16_ptr, (char *) ptr, 2);
> if (be16_to_cpu(be16_ptr) != KG2_TOK_MIC)
> return GSS_S_DEFECTIVE_TOKEN;
Reviewed-by: Jeff Layton <jlayton@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
@ 2026-05-25 16:11 ` kernel test robot
2026-05-25 19:58 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-05-25 16:11 UTC (permalink / raw)
To: Chuck Lever; +Cc: oe-kbuild-all
Hi Chuck,
[This is a private test report for your RFC patch.]
kernel test robot noticed the following build errors:
[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v7.1-rc5 next-20260522]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chuck-Lever/SUNRPC-Reject-short-RFC-4121-MIC-tokens-in-gss_krb5_verify_mic_v2/20260524-005345
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link: https://lore.kernel.org/r/20260523165237.510204-1-cel%40kernel.org
patch subject: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
config: sh-allmodconfig (https://download.01.org/0day-ci/archive/20260526/202605260025.iqHX0Pwi-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260526/202605260025.iqHX0Pwi-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605260025.iqHX0Pwi-lkp@intel.com/
All errors (new ones prefixed by >>):
net/sunrpc/auth_gss/gss_krb5_unseal.c: In function 'gss_krb5_verify_mic_v2':
>> net/sunrpc/auth_gss/gss_krb5_unseal.c:89:54: error: 'cksum_len' undeclared (first use in this function)
89 | if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
| ^~~~~~~~~
net/sunrpc/auth_gss/gss_krb5_unseal.c:89:54: note: each undeclared identifier is reported only once for each function it appears in
vim +/cksum_len +89 net/sunrpc/auth_gss/gss_krb5_unseal.c
69
70 u32
71 gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
72 struct xdr_netobj *read_token)
73 {
74 struct crypto_ahash *tfm = ctx->initiate ?
75 ctx->acceptor_sign : ctx->initiator_sign;
76 char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
77 struct xdr_netobj cksumobj = {
78 .len = ctx->gk5e->cksumlength,
79 .data = cksumdata,
80 };
81 u8 *ptr = read_token->data;
82 __be16 be16_ptr;
83 time64_t now;
84 u8 flags;
85 int i;
86
87 dprintk("RPC: %s\n", __func__);
88
> 89 if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
2026-05-25 16:11 ` kernel test robot
@ 2026-05-25 19:58 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-05-25 19:58 UTC (permalink / raw)
To: Chuck Lever; +Cc: llvm, oe-kbuild-all
Hi Chuck,
[This is a private test report for your RFC patch.]
kernel test robot noticed the following build errors:
[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v7.1-rc5 next-20260525]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chuck-Lever/SUNRPC-Reject-short-RFC-4121-MIC-tokens-in-gss_krb5_verify_mic_v2/20260524-005345
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link: https://lore.kernel.org/r/20260523165237.510204-1-cel%40kernel.org
patch subject: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260526/202605260319.m5jggKFF-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260526/202605260319.m5jggKFF-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605260319.m5jggKFF-lkp@intel.com/
All errors (new ones prefixed by >>):
>> net/sunrpc/auth_gss/gss_krb5_unseal.c:89:47: error: use of undeclared identifier 'cksum_len'
89 | if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
| ^
1 error generated.
vim +/cksum_len +89 net/sunrpc/auth_gss/gss_krb5_unseal.c
69
70 u32
71 gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
72 struct xdr_netobj *read_token)
73 {
74 struct crypto_ahash *tfm = ctx->initiate ?
75 ctx->acceptor_sign : ctx->initiator_sign;
76 char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
77 struct xdr_netobj cksumobj = {
78 .len = ctx->gk5e->cksumlength,
79 .data = cksumdata,
80 };
81 u8 *ptr = read_token->data;
82 __be16 be16_ptr;
83 time64_t now;
84 u8 flags;
85 int i;
86
87 dprintk("RPC: %s\n", __func__);
88
> 89 if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-25 19:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
2026-05-25 16:11 ` kernel test robot
2026-05-25 19:58 ` kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.