* [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
@ 2026-05-23 16:52 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
0 siblings, 1 reply; 2+ messages in thread
From: Chuck Lever @ 2026-05-23 16:52 UTC (permalink / raw)
To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
Cc: linux-nfs, Chuck Lever, Chris Mason
From: Chuck Lever <chuck.lever@oracle.com>
gss_krb5_verify_mic_v2() reads the token ID at ptr[0..1], the flags
byte at ptr[2], and padding at ptr[3..7], then passes
ptr + GSS_KRB5_TOK_HDR_LEN and cksum_len to gss_krb5_mic_build_sg().
None of these accesses check read_token->len first.
The minimum safe token size is GSS_KRB5_TOK_HDR_LEN (16) plus
ctx->krb5e->cksum_len (12-24, depending on the enctype). All callers
accept shorter tokens from the wire:
- gss_unwrap_resp_integ() enforces only an upper bound
(offset + len <= rcv_buf->len) before allocating
mic.data = kmalloc(len) and passing it to gss_verify_mic().
A malicious NFS server can therefore supply a short checksum
opaque, producing a small slab allocation that the Kerberos MIC
verifier reads past.
- gss_validate() enforces only len <= RPC_MAX_AUTH_SIZE (400)
before passing the wire-supplied length to
gss_validate_seqno_mic(), which constructs a mic xdr_netobj
and calls gss_verify_mic().
- svcauth_gss_verify_header() enforces only
checksum.len >= XDR_UNIT (4 bytes) before dispatching to
gss_verify_mic().
- svcauth_gss_unwrap_integ() checks only that the checksum fits
in gsd->gsd_scratch.
Add a length guard at the top of gss_krb5_verify_mic_v2(), before any
ptr[] access or scatterlist construction. Well-formed MIC tokens from
gss_krb5_get_mic_v2() already have exactly GSS_KRB5_TOK_HDR_LEN +
cksum_len bytes, so valid traffic is unaffected.
Reported-by: Chris Mason <clm@meta.com>
Fixes: de9c17eb4a91 ("gss_krb5: add support for new token formats in rfc4121")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/sunrpc/auth_gss/gss_krb5_unseal.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index b5fb70419faa..4d12d49434c2 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -89,6 +89,9 @@ gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
dprintk("RPC: %s\n", __func__);
+ if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
+ return GSS_S_DEFECTIVE_TOKEN;
+
memcpy(&be16_ptr, (char *) ptr, 2);
if (be16_to_cpu(be16_ptr) != KG2_TOK_MIC)
return GSS_S_DEFECTIVE_TOKEN;
--
2.54.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
@ 2026-05-24 10:47 ` Jeff Layton
0 siblings, 0 replies; 2+ messages in thread
From: Jeff Layton @ 2026-05-24 10:47 UTC (permalink / raw)
To: Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey
Cc: linux-nfs, Chuck Lever, Chris Mason
On Sat, 2026-05-23 at 12:52 -0400, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> gss_krb5_verify_mic_v2() reads the token ID at ptr[0..1], the flags
> byte at ptr[2], and padding at ptr[3..7], then passes
> ptr + GSS_KRB5_TOK_HDR_LEN and cksum_len to gss_krb5_mic_build_sg().
> None of these accesses check read_token->len first.
>
> The minimum safe token size is GSS_KRB5_TOK_HDR_LEN (16) plus
> ctx->krb5e->cksum_len (12-24, depending on the enctype). All callers
> accept shorter tokens from the wire:
>
> - gss_unwrap_resp_integ() enforces only an upper bound
> (offset + len <= rcv_buf->len) before allocating
> mic.data = kmalloc(len) and passing it to gss_verify_mic().
> A malicious NFS server can therefore supply a short checksum
> opaque, producing a small slab allocation that the Kerberos MIC
> verifier reads past.
>
> - gss_validate() enforces only len <= RPC_MAX_AUTH_SIZE (400)
> before passing the wire-supplied length to
> gss_validate_seqno_mic(), which constructs a mic xdr_netobj
> and calls gss_verify_mic().
>
> - svcauth_gss_verify_header() enforces only
> checksum.len >= XDR_UNIT (4 bytes) before dispatching to
> gss_verify_mic().
>
> - svcauth_gss_unwrap_integ() checks only that the checksum fits
> in gsd->gsd_scratch.
>
> Add a length guard at the top of gss_krb5_verify_mic_v2(), before any
> ptr[] access or scatterlist construction. Well-formed MIC tokens from
> gss_krb5_get_mic_v2() already have exactly GSS_KRB5_TOK_HDR_LEN +
> cksum_len bytes, so valid traffic is unaffected.
>
> Reported-by: Chris Mason <clm@meta.com>
> Fixes: de9c17eb4a91 ("gss_krb5: add support for new token formats in rfc4121")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> net/sunrpc/auth_gss/gss_krb5_unseal.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
> index b5fb70419faa..4d12d49434c2 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
> @@ -89,6 +89,9 @@ gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
>
> dprintk("RPC: %s\n", __func__);
>
> + if (read_token->len < GSS_KRB5_TOK_HDR_LEN + cksum_len)
> + return GSS_S_DEFECTIVE_TOKEN;
> +
> memcpy(&be16_ptr, (char *) ptr, 2);
> if (be16_to_cpu(be16_ptr) != KG2_TOK_MIC)
> return GSS_S_DEFECTIVE_TOKEN;
Reviewed-by: Jeff Layton <jlayton@kernel.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-24 10:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-23 16:52 [PATCH] SUNRPC: Reject short RFC 4121 MIC tokens in gss_krb5_verify_mic_v2 Chuck Lever
2026-05-24 10:47 ` Jeff Layton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox