diff options
| author | David Howells <dhowells@redhat.com> | 2019-02-14 11:20:25 -0500 |
|---|---|---|
| committer | James Morris <james.morris@microsoft.com> | 2019-02-15 17:12:09 -0500 |
| commit | 822ad64d7e46a8e2c8b8a796738d7b657cbb146d (patch) | |
| tree | 1a90686fb8e972e8d202500ab3d53196ec29cd16 /fs | |
| parent | bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 (diff) | |
keys: Fix dependency loop between construction record and auth key
In the request_key() upcall mechanism there's a dependency loop by which if
a key type driver overrides the ->request_key hook and the userspace side
manages to lose the authorisation key, the auth key and the internal
construction record (struct key_construction) can keep each other pinned.
Fix this by the following changes:
(1) Killing off the construction record and using the auth key instead.
(2) Including the operation name in the auth key payload and making the
payload available outside of security/keys/.
(3) The ->request_key hook is given the authkey instead of the cons
record and operation name.
Changes (2) and (3) allow the auth key to naturally be cleaned up if the
keyring it is in is destroyed or cleared or the auth key is unlinked.
Fixes: 7ee02a316600 ("keys: Fix dependency loop between construction record and auth key")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/nfs/nfs4idmap.c | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c index 3f23b6840547..bf34ddaa2ad7 100644 --- a/fs/nfs/nfs4idmap.c +++ b/fs/nfs/nfs4idmap.c | |||
| @@ -44,6 +44,7 @@ | |||
| 44 | #include <linux/keyctl.h> | 44 | #include <linux/keyctl.h> |
| 45 | #include <linux/key-type.h> | 45 | #include <linux/key-type.h> |
| 46 | #include <keys/user-type.h> | 46 | #include <keys/user-type.h> |
| 47 | #include <keys/request_key_auth-type.h> | ||
| 47 | #include <linux/module.h> | 48 | #include <linux/module.h> |
| 48 | 49 | ||
| 49 | #include "internal.h" | 50 | #include "internal.h" |
| @@ -59,7 +60,7 @@ static struct key_type key_type_id_resolver_legacy; | |||
| 59 | struct idmap_legacy_upcalldata { | 60 | struct idmap_legacy_upcalldata { |
| 60 | struct rpc_pipe_msg pipe_msg; | 61 | struct rpc_pipe_msg pipe_msg; |
| 61 | struct idmap_msg idmap_msg; | 62 | struct idmap_msg idmap_msg; |
| 62 | struct key_construction *key_cons; | 63 | struct key *authkey; |
| 63 | struct idmap *idmap; | 64 | struct idmap *idmap; |
| 64 | }; | 65 | }; |
| 65 | 66 | ||
| @@ -384,7 +385,7 @@ static const match_table_t nfs_idmap_tokens = { | |||
| 384 | { Opt_find_err, NULL } | 385 | { Opt_find_err, NULL } |
| 385 | }; | 386 | }; |
| 386 | 387 | ||
| 387 | static int nfs_idmap_legacy_upcall(struct key_construction *, const char *, void *); | 388 | static int nfs_idmap_legacy_upcall(struct key *, void *); |
| 388 | static ssize_t idmap_pipe_downcall(struct file *, const char __user *, | 389 | static ssize_t idmap_pipe_downcall(struct file *, const char __user *, |
| 389 | size_t); | 390 | size_t); |
| 390 | static void idmap_release_pipe(struct inode *); | 391 | static void idmap_release_pipe(struct inode *); |
| @@ -549,11 +550,12 @@ nfs_idmap_prepare_pipe_upcall(struct idmap *idmap, | |||
| 549 | static void | 550 | static void |
| 550 | nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) | 551 | nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) |
| 551 | { | 552 | { |
| 552 | struct key_construction *cons = idmap->idmap_upcall_data->key_cons; | 553 | struct key *authkey = idmap->idmap_upcall_data->authkey; |
| 553 | 554 | ||
| 554 | kfree(idmap->idmap_upcall_data); | 555 | kfree(idmap->idmap_upcall_data); |
| 555 | idmap->idmap_upcall_data = NULL; | 556 | idmap->idmap_upcall_data = NULL; |
| 556 | complete_request_key(cons, ret); | 557 | complete_request_key(authkey, ret); |
| 558 | key_put(authkey); | ||
| 557 | } | 559 | } |
| 558 | 560 | ||
| 559 | static void | 561 | static void |
| @@ -563,15 +565,14 @@ nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret) | |||
| 563 | nfs_idmap_complete_pipe_upcall_locked(idmap, ret); | 565 | nfs_idmap_complete_pipe_upcall_locked(idmap, ret); |
| 564 | } | 566 | } |
| 565 | 567 | ||
| 566 | static int nfs_idmap_legacy_upcall(struct key_construction *cons, | 568 | static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux) |
| 567 | const char *op, | ||
| 568 | void *aux) | ||
| 569 | { | 569 | { |
| 570 | struct idmap_legacy_upcalldata *data; | 570 | struct idmap_legacy_upcalldata *data; |
| 571 | struct request_key_auth *rka = get_request_key_auth(authkey); | ||
| 571 | struct rpc_pipe_msg *msg; | 572 | struct rpc_pipe_msg *msg; |
| 572 | struct idmap_msg *im; | 573 | struct idmap_msg *im; |
| 573 | struct idmap *idmap = (struct idmap *)aux; | 574 | struct idmap *idmap = (struct idmap *)aux; |
| 574 | struct key *key = cons->key; | 575 | struct key *key = rka->target_key; |
| 575 | int ret = -ENOKEY; | 576 | int ret = -ENOKEY; |
| 576 | 577 | ||
| 577 | if (!aux) | 578 | if (!aux) |
| @@ -586,7 +587,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, | |||
| 586 | msg = &data->pipe_msg; | 587 | msg = &data->pipe_msg; |
| 587 | im = &data->idmap_msg; | 588 | im = &data->idmap_msg; |
| 588 | data->idmap = idmap; | 589 | data->idmap = idmap; |
| 589 | data->key_cons = cons; | 590 | data->authkey = key_get(authkey); |
| 590 | 591 | ||
| 591 | ret = nfs_idmap_prepare_message(key->description, idmap, im, msg); | 592 | ret = nfs_idmap_prepare_message(key->description, idmap, im, msg); |
| 592 | if (ret < 0) | 593 | if (ret < 0) |
| @@ -604,7 +605,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, | |||
| 604 | out2: | 605 | out2: |
| 605 | kfree(data); | 606 | kfree(data); |
| 606 | out1: | 607 | out1: |
| 607 | complete_request_key(cons, ret); | 608 | complete_request_key(authkey, ret); |
| 608 | return ret; | 609 | return ret; |
| 609 | } | 610 | } |
| 610 | 611 | ||
| @@ -651,9 +652,10 @@ out: | |||
| 651 | static ssize_t | 652 | static ssize_t |
| 652 | idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) | 653 | idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) |
| 653 | { | 654 | { |
| 655 | struct request_key_auth *rka; | ||
| 654 | struct rpc_inode *rpci = RPC_I(file_inode(filp)); | 656 | struct rpc_inode *rpci = RPC_I(file_inode(filp)); |
| 655 | struct idmap *idmap = (struct idmap *)rpci->private; | 657 | struct idmap *idmap = (struct idmap *)rpci->private; |
| 656 | struct key_construction *cons; | 658 | struct key *authkey; |
| 657 | struct idmap_msg im; | 659 | struct idmap_msg im; |
| 658 | size_t namelen_in; | 660 | size_t namelen_in; |
| 659 | int ret = -ENOKEY; | 661 | int ret = -ENOKEY; |
| @@ -665,7 +667,8 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) | |||
| 665 | if (idmap->idmap_upcall_data == NULL) | 667 | if (idmap->idmap_upcall_data == NULL) |
| 666 | goto out_noupcall; | 668 | goto out_noupcall; |
| 667 | 669 | ||
| 668 | cons = idmap->idmap_upcall_data->key_cons; | 670 | authkey = idmap->idmap_upcall_data->authkey; |
| 671 | rka = get_request_key_auth(authkey); | ||
| 669 | 672 | ||
| 670 | if (mlen != sizeof(im)) { | 673 | if (mlen != sizeof(im)) { |
| 671 | ret = -ENOSPC; | 674 | ret = -ENOSPC; |
| @@ -690,9 +693,9 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) | |||
| 690 | 693 | ||
| 691 | ret = nfs_idmap_read_and_verify_message(&im, | 694 | ret = nfs_idmap_read_and_verify_message(&im, |
| 692 | &idmap->idmap_upcall_data->idmap_msg, | 695 | &idmap->idmap_upcall_data->idmap_msg, |
| 693 | cons->key, cons->authkey); | 696 | rka->target_key, authkey); |
| 694 | if (ret >= 0) { | 697 | if (ret >= 0) { |
| 695 | key_set_timeout(cons->key, nfs_idmap_cache_timeout); | 698 | key_set_timeout(rka->target_key, nfs_idmap_cache_timeout); |
| 696 | ret = mlen; | 699 | ret = mlen; |
| 697 | } | 700 | } |
| 698 | 701 | ||