* dm-crypt accepts '+' in the key
@ 2016-11-12 20:20 Mikulas Patocka
2016-11-13 14:45 ` Milan Broz
0 siblings, 1 reply; 4+ messages in thread
From: Mikulas Patocka @ 2016-11-12 20:20 UTC (permalink / raw)
To: Ondrej Kozina, Mike Snitzer, Alexey Dobriyan; +Cc: dm-devel, linux-kernel
Hi
dm-crypt uses the function kstrtou8 to decode the encryption key. kstrtou8
calls kstrtoull and kstrtoull skips the first character if it is '+'.
Consequently, it is possible to load keys with '+' in it. For example,
this is possible:
dmsetup create cr --table "0 131072 crypt aes-cbc-essiv:sha256 +0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0 0 /dev/debian/tmptest 0"
Should this be fixed in dm-crypt or in kstrtou8? A fix in kstrtou8 could
be more appropriate, but we don't know how many other kernel parts depend
on this "skip plus" behavior...
Mikulas
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: dm-crypt accepts '+' in the key
2016-11-12 20:20 dm-crypt accepts '+' in the key Mikulas Patocka
@ 2016-11-13 14:45 ` Milan Broz
2016-11-14 0:36 ` Alexey Dobriyan
0 siblings, 1 reply; 4+ messages in thread
From: Milan Broz @ 2016-11-13 14:45 UTC (permalink / raw)
To: Mikulas Patocka, Ondrej Kozina, Mike Snitzer, Alexey Dobriyan
Cc: dm-devel, linux-kernel
On 11/12/2016 09:20 PM, Mikulas Patocka wrote:
> Hi
>
> dm-crypt uses the function kstrtou8 to decode the encryption key. kstrtou8
> calls kstrtoull and kstrtoull skips the first character if it is '+'.
>
> Consequently, it is possible to load keys with '+' in it. For example,
> this is possible:
>
> dmsetup create cr --table "0 131072 crypt aes-cbc-essiv:sha256 +0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0 0 /dev/debian/tmptest 0"
>
> Should this be fixed in dm-crypt or in kstrtou8? A fix in kstrtou8 could
> be more appropriate, but we don't know how many other kernel parts depend
> on this "skip plus" behavior...
I would way it should be checked in both places...
For dmcrypt, it should validate input here and should
not accept anything in key field in dm table that is not in hexa representation.
(Is this regression since code switched from simple_strtoul to kstrtou8
or this bug was there always?)
Milan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: dm-crypt accepts '+' in the key
2016-11-13 14:45 ` Milan Broz
@ 2016-11-14 0:36 ` Alexey Dobriyan
2016-11-14 21:09 ` Mikulas Patocka
0 siblings, 1 reply; 4+ messages in thread
From: Alexey Dobriyan @ 2016-11-14 0:36 UTC (permalink / raw)
To: Milan Broz
Cc: Mikulas Patocka, Ondrej Kozina, Mike Snitzer, dm-devel,
linux-kernel
On Sun, Nov 13, 2016 at 03:45:27PM +0100, Milan Broz wrote:
> On 11/12/2016 09:20 PM, Mikulas Patocka wrote:
> > Hi
> >
> > dm-crypt uses the function kstrtou8 to decode the encryption key. kstrtou8
> > calls kstrtoull and kstrtoull skips the first character if it is '+'.
> >
> > Consequently, it is possible to load keys with '+' in it. For example,
> > this is possible:
> >
> > dmsetup create cr --table "0 131072 crypt aes-cbc-essiv:sha256 +0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0 0 /dev/debian/tmptest 0"
> >
> > Should this be fixed in dm-crypt or in kstrtou8? A fix in kstrtou8 could
> > be more appropriate, but we don't know how many other kernel parts depend
> > on this "skip plus" behavior...
>
> I would way it should be checked in both places...
> For dmcrypt, it should validate input here and should
> not accept anything in key field in dm table that is not in hexa representation.
>
> (Is this regression since code switched from simple_strtoul to kstrtou8
> or this bug was there always?)
Well, before kernel would silently parse anything broken as "0".
But since it is base-16, "0[xX]" will be accepted before every byte.
dm-crypt should parse key by hand, frankly.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: dm-crypt accepts '+' in the key
2016-11-14 0:36 ` Alexey Dobriyan
@ 2016-11-14 21:09 ` Mikulas Patocka
0 siblings, 0 replies; 4+ messages in thread
From: Mikulas Patocka @ 2016-11-14 21:09 UTC (permalink / raw)
To: Alexey Dobriyan
Cc: Milan Broz, Ondrej Kozina, Mike Snitzer, dm-devel, linux-kernel
On Mon, 14 Nov 2016, Alexey Dobriyan wrote:
> On Sun, Nov 13, 2016 at 03:45:27PM +0100, Milan Broz wrote:
> > On 11/12/2016 09:20 PM, Mikulas Patocka wrote:
> > > Hi
> > >
> > > dm-crypt uses the function kstrtou8 to decode the encryption key. kstrtou8
> > > calls kstrtoull and kstrtoull skips the first character if it is '+'.
> > >
> > > Consequently, it is possible to load keys with '+' in it. For example,
> > > this is possible:
> > >
> > > dmsetup create cr --table "0 131072 crypt aes-cbc-essiv:sha256 +0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0 0 /dev/debian/tmptest 0"
> > >
> > > Should this be fixed in dm-crypt or in kstrtou8? A fix in kstrtou8 could
> > > be more appropriate, but we don't know how many other kernel parts depend
> > > on this "skip plus" behavior...
> >
> > I would way it should be checked in both places...
> > For dmcrypt, it should validate input here and should
> > not accept anything in key field in dm table that is not in hexa representation.
> >
> > (Is this regression since code switched from simple_strtoul to kstrtou8
> > or this bug was there always?)
>
> Well, before kernel would silently parse anything broken as "0".
dm-crypt already validates that there are exactly two characters passed to
kstrtou8 or simple_strtoul.
> But since it is base-16, "0[xX]" will be accepted before every byte.
Yes, the old dm-crypt code that used simple_strtoul accepted "0x" in a key
(and parsed it as zero byte). It didn't accept "+" or "-".
> dm-crypt should parse key by hand, frankly.
Mikulas
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-14 21:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-12 20:20 dm-crypt accepts '+' in the key Mikulas Patocka
2016-11-13 14:45 ` Milan Broz
2016-11-14 0:36 ` Alexey Dobriyan
2016-11-14 21:09 ` Mikulas Patocka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).