From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x2243amj5/kuAu8BxrFOJ+jA6wdr/AYoOqu/OEXZR5wZ4pcNEtw45uE84PXn6jZuDJdoHveax ARC-Seal: i=1; a=rsa-sha256; t=1516611212; cv=none; d=google.com; s=arc-20160816; b=LWDWtbSO+CtY5atxmLOzPiq9HxrslQPPUm7K4OtNBdaxhiSxS7RKc/SN2YXEaNRdXb huogr5IGSAeuO1OflChA/DaJWXLXYJhFIyTMFl/MAl8lUj8fI+LasmA5u9DgMHIVi4KN 48ZvLY2uK1ZdOFhdiiVZfTUzOXro+4dsTtObhtz+nEMvcC9KckCtaK4WoP/O1dbbq4nG j8Qi8FLehlug0Z1AUigp/AZGk0D9eTK0x/kWiQ9zjKdCgqdr1uXX+pGf8kdX7mz06aEV NVueygX8bwfZWJbpXKf3vVk2R/ppoiTs5LJWQxZuS/1si59OPWiMp6H8V5/I1Ov09h+N Cz2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=w0K/21Zv8S2YsPrnXt43s/4xRGtu8FE7gXPziwE48mo=; b=m1iJcqkzlF7AQn6F7iEwz07fNj47ENYC2BSJFVXgNm1lovjTrdUvTxlrgyjL32lsEM hwPDcIiBhANeawjhC/K8FQ1j4EyifiTmr6QxpwXD6bqTm3Cs8pugAKzBPK1QknZ2Il9b UD98x6qMF/VKamrHMdCozyOm/AsGQoLHoxaNpQepQ922X4j4p5/OIgcoM7fJpTUEIjpe Qsp4GVwNZTwOy8v96ebV1M8YeV8y1/kk6SI09QOV46S6VSB583Z69J/b45Cj9EeIg7J5 I1ktRLIBBW/UevRSFt2qssR4dEIRIn7HM1qOGvNE7ObAN8d/5LLzKxtKzjhtwlQ6QjDi ltNA== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ondrej Kozina , Milan Broz , Mike Snitzer Subject: [PATCH 4.14 74/89] dm crypt: wipe kernel key copy after IV initialization Date: Mon, 22 Jan 2018 09:45:54 +0100 Message-Id: <20180122084001.838083977@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590282119526351791?= X-GMAIL-MSGID: =?utf-8?q?1590282119526351791?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ondrej Kozina commit dc94902bde1e158cd19c4deab208e5d6eb382a44 upstream. Loading key via kernel keyring service erases the internal key copy immediately after we pass it in crypto layer. This is wrong because IV is initialized later and we use wrong key for the initialization (instead of real key there's just zeroed block). The bug may cause data corruption if key is loaded via kernel keyring service first and later same crypt device is reactivated using exactly same key in hexbyte representation, or vice versa. The bug (and fix) affects only ciphers using following IVs: essiv, lmk and tcw. Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") Signed-off-by: Ondrej Kozina Reviewed-by: Milan Broz Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-crypt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -2058,9 +2058,6 @@ static int crypt_set_keyring_key(struct ret = crypt_setkey(cc); - /* wipe the kernel key payload copy in each case */ - memset(cc->key, 0, cc->key_size * sizeof(u8)); - if (!ret) { set_bit(DM_CRYPT_KEY_VALID, &cc->flags); kzfree(cc->key_string); @@ -2528,6 +2525,10 @@ static int crypt_ctr_cipher(struct dm_ta } } + /* wipe the kernel key payload copy */ + if (cc->key_string) + memset(cc->key, 0, cc->key_size * sizeof(u8)); + return ret; } @@ -2966,6 +2967,9 @@ static int crypt_message(struct dm_targe return ret; if (cc->iv_gen_ops && cc->iv_gen_ops->init) ret = cc->iv_gen_ops->init(cc); + /* wipe the kernel key payload copy */ + if (cc->key_string) + memset(cc->key, 0, cc->key_size * sizeof(u8)); return ret; } if (argc == 2 && !strcasecmp(argv[1], "wipe")) { @@ -3012,7 +3016,7 @@ static void crypt_io_hints(struct dm_tar static struct target_type crypt_target = { .name = "crypt", - .version = {1, 18, 0}, + .version = {1, 18, 1}, .module = THIS_MODULE, .ctr = crypt_ctr, .dtr = crypt_dtr,