From: Eric Biggers <ebiggers3@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@google.com>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: encrypted: avoid encrypting/decrypting stack buffers
Date: Sat, 1 Apr 2017 20:33:49 -0700 [thread overview]
Message-ID: <20170402033349.GA5346@zzz> (raw)
In-Reply-To: <1491099837.3499.163.camel@linux.vnet.ibm.com>
On Sat, Apr 01, 2017 at 10:23:57PM -0400, Mimi Zohar wrote:
> On Sat, 2017-04-01 at 12:17 -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
> > stack buffers because the stack may be virtually mapped. Fix this for
> > the padding buffers in encrypted-keys by using ZERO_PAGE for the
> > encryption padding and by allocating a temporary heap buffer for the
> > decryption padding.
> >
> > Tested with CONFIG_DEBUG_SG=y:
> > keyctl new_session
> > keyctl add user master "abcdefghijklmnop" @s
> > keyid=$(keyctl add encrypted desc "new user:master 25" @s)
> > datablob="$(keyctl pipe $keyid)"
> > keyctl unlink $keyid
> > keyid=$(keyctl add encrypted desc "load $datablob" @s)
> > datablob2="$(keyctl pipe $keyid)"
> > [ "$datablob" = "$datablob2" ] && echo "Success!"
>
> Have you created an encrypted key on a kernel without this patch and
> attempted to load that key on a kernel with this patch? Does it still
> work?
>
Yes, a key exported from an unpatched kernel (with DEBUG_SG and DEBUG_VIRTUAL
turned off so it doesn't crash) can be loaded on a patched kernel, then exported
again. The exported data is identical.
Eric
next prev parent reply other threads:[~2017-04-02 3:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-01 19:17 [PATCH] KEYS: encrypted: avoid encrypting/decrypting stack buffers Eric Biggers
2017-04-02 2:23 ` Mimi Zohar
2017-04-02 3:33 ` Eric Biggers [this message]
2017-04-03 15:55 ` Mimi Zohar
2017-04-03 18:21 ` Eric Biggers
2017-04-03 15:44 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170402033349.GA5346@zzz \
--to=ebiggers3@gmail.com \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox