diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-09-11 21:03:21 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-09-11 21:03:21 -0400 |
| commit | c73f6fdf2fc534e47b2a1ebfe00e57d585ef5b57 (patch) | |
| tree | db143197352e03a15e5aa7161ba26609a3693535 | |
| parent | 7ee2d2d67144965d9d3607369ab0ebf5bad230c0 (diff) | |
| parent | c27a3e4d667fdcad3db7b104f75659478e0c68d8 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
Pull Ceph fixes from Sage Weil:
"The main thing here is a set of three patches that fix a buffer
overrun for large authentication tickets (sigh).
There is also a trivial warning fix and an error path fix that are
both regressions"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
libceph: do not hard code max auth ticket len
libceph: add process_one_ticket() helper
libceph: gracefully handle large reply messages from the mon
rbd: fix error return code in rbd_dev_device_setup()
rbd: avoid format-security warning inside alloc_workqueue()
| -rw-r--r-- | drivers/block/rbd.c | 6 | ||||
| -rw-r--r-- | net/ceph/auth_x.c | 256 | ||||
| -rw-r--r-- | net/ceph/mon_client.c | 8 |
3 files changed, 147 insertions, 123 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 623c84145b79..4b97baf8afa3 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c | |||
| @@ -5087,9 +5087,11 @@ static int rbd_dev_device_setup(struct rbd_device *rbd_dev) | |||
| 5087 | set_capacity(rbd_dev->disk, rbd_dev->mapping.size / SECTOR_SIZE); | 5087 | set_capacity(rbd_dev->disk, rbd_dev->mapping.size / SECTOR_SIZE); |
| 5088 | set_disk_ro(rbd_dev->disk, rbd_dev->mapping.read_only); | 5088 | set_disk_ro(rbd_dev->disk, rbd_dev->mapping.read_only); |
| 5089 | 5089 | ||
| 5090 | rbd_dev->rq_wq = alloc_workqueue(rbd_dev->disk->disk_name, 0, 0); | 5090 | rbd_dev->rq_wq = alloc_workqueue("%s", 0, 0, rbd_dev->disk->disk_name); |
| 5091 | if (!rbd_dev->rq_wq) | 5091 | if (!rbd_dev->rq_wq) { |
| 5092 | ret = -ENOMEM; | ||
| 5092 | goto err_out_mapping; | 5093 | goto err_out_mapping; |
| 5094 | } | ||
| 5093 | 5095 | ||
| 5094 | ret = rbd_bus_add_dev(rbd_dev); | 5096 | ret = rbd_bus_add_dev(rbd_dev); |
| 5095 | if (ret) | 5097 | if (ret) |
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c index 96238ba95f2b..de6662b14e1f 100644 --- a/net/ceph/auth_x.c +++ b/net/ceph/auth_x.c | |||
| @@ -13,8 +13,6 @@ | |||
| 13 | #include "auth_x.h" | 13 | #include "auth_x.h" |
| 14 | #include "auth_x_protocol.h" | 14 | #include "auth_x_protocol.h" |
| 15 | 15 | ||
| 16 | #define TEMP_TICKET_BUF_LEN 256 | ||
| 17 | |||
| 18 | static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); | 16 | static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); |
| 19 | 17 | ||
| 20 | static int ceph_x_is_authenticated(struct ceph_auth_client *ac) | 18 | static int ceph_x_is_authenticated(struct ceph_auth_client *ac) |
| @@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, | |||
| 64 | } | 62 | } |
| 65 | 63 | ||
| 66 | static int ceph_x_decrypt(struct ceph_crypto_key *secret, | 64 | static int ceph_x_decrypt(struct ceph_crypto_key *secret, |
| 67 | void **p, void *end, void *obuf, size_t olen) | 65 | void **p, void *end, void **obuf, size_t olen) |
| 68 | { | 66 | { |
| 69 | struct ceph_x_encrypt_header head; | 67 | struct ceph_x_encrypt_header head; |
| 70 | size_t head_len = sizeof(head); | 68 | size_t head_len = sizeof(head); |
| @@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret, | |||
| 75 | return -EINVAL; | 73 | return -EINVAL; |
| 76 | 74 | ||
| 77 | dout("ceph_x_decrypt len %d\n", len); | 75 | dout("ceph_x_decrypt len %d\n", len); |
| 78 | ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, | 76 | if (*obuf == NULL) { |
| 79 | *p, len); | 77 | *obuf = kmalloc(len, GFP_NOFS); |
| 78 | if (!*obuf) | ||
| 79 | return -ENOMEM; | ||
| 80 | olen = len; | ||
| 81 | } | ||
| 82 | |||
| 83 | ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); | ||
| 80 | if (ret) | 84 | if (ret) |
| 81 | return ret; | 85 | return ret; |
| 82 | if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) | 86 | if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) |
| @@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac, | |||
| 129 | kfree(th); | 133 | kfree(th); |
| 130 | } | 134 | } |
| 131 | 135 | ||
| 132 | static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, | 136 | static int process_one_ticket(struct ceph_auth_client *ac, |
| 133 | struct ceph_crypto_key *secret, | 137 | struct ceph_crypto_key *secret, |
| 134 | void *buf, void *end) | 138 | void **p, void *end) |
| 135 | { | 139 | { |
| 136 | struct ceph_x_info *xi = ac->private; | 140 | struct ceph_x_info *xi = ac->private; |
| 137 | int num; | 141 | int type; |
| 138 | void *p = buf; | 142 | u8 tkt_struct_v, blob_struct_v; |
| 143 | struct ceph_x_ticket_handler *th; | ||
| 144 | void *dbuf = NULL; | ||
| 145 | void *dp, *dend; | ||
| 146 | int dlen; | ||
| 147 | char is_enc; | ||
| 148 | struct timespec validity; | ||
| 149 | struct ceph_crypto_key old_key; | ||
| 150 | void *ticket_buf = NULL; | ||
| 151 | void *tp, *tpend; | ||
| 152 | struct ceph_timespec new_validity; | ||
| 153 | struct ceph_crypto_key new_session_key; | ||
| 154 | struct ceph_buffer *new_ticket_blob; | ||
| 155 | unsigned long new_expires, new_renew_after; | ||
| 156 | u64 new_secret_id; | ||
| 139 | int ret; | 157 | int ret; |
| 140 | char *dbuf; | ||
| 141 | char *ticket_buf; | ||
| 142 | u8 reply_struct_v; | ||
| 143 | 158 | ||
| 144 | dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); | 159 | ceph_decode_need(p, end, sizeof(u32) + 1, bad); |
| 145 | if (!dbuf) | ||
| 146 | return -ENOMEM; | ||
| 147 | 160 | ||
| 148 | ret = -ENOMEM; | 161 | type = ceph_decode_32(p); |
| 149 | ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); | 162 | dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); |
| 150 | if (!ticket_buf) | ||
| 151 | goto out_dbuf; | ||
| 152 | 163 | ||
| 153 | ceph_decode_need(&p, end, 1 + sizeof(u32), bad); | 164 | tkt_struct_v = ceph_decode_8(p); |
| 154 | reply_struct_v = ceph_decode_8(&p); | 165 | if (tkt_struct_v != 1) |
| 155 | if (reply_struct_v != 1) | ||
| 156 | goto bad; | 166 | goto bad; |
| 157 | num = ceph_decode_32(&p); | ||
| 158 | dout("%d tickets\n", num); | ||
| 159 | while (num--) { | ||
| 160 | int type; | ||
| 161 | u8 tkt_struct_v, blob_struct_v; | ||
| 162 | struct ceph_x_ticket_handler *th; | ||
| 163 | void *dp, *dend; | ||
| 164 | int dlen; | ||
| 165 | char is_enc; | ||
| 166 | struct timespec validity; | ||
| 167 | struct ceph_crypto_key old_key; | ||
| 168 | void *tp, *tpend; | ||
| 169 | struct ceph_timespec new_validity; | ||
| 170 | struct ceph_crypto_key new_session_key; | ||
| 171 | struct ceph_buffer *new_ticket_blob; | ||
| 172 | unsigned long new_expires, new_renew_after; | ||
| 173 | u64 new_secret_id; | ||
| 174 | |||
| 175 | ceph_decode_need(&p, end, sizeof(u32) + 1, bad); | ||
| 176 | |||
| 177 | type = ceph_decode_32(&p); | ||
| 178 | dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); | ||
| 179 | |||
| 180 | tkt_struct_v = ceph_decode_8(&p); | ||
| 181 | if (tkt_struct_v != 1) | ||
| 182 | goto bad; | ||
| 183 | |||
| 184 | th = get_ticket_handler(ac, type); | ||
| 185 | if (IS_ERR(th)) { | ||
| 186 | ret = PTR_ERR(th); | ||
| 187 | goto out; | ||
| 188 | } | ||
| 189 | 167 | ||
| 190 | /* blob for me */ | 168 | th = get_ticket_handler(ac, type); |
| 191 | dlen = ceph_x_decrypt(secret, &p, end, dbuf, | 169 | if (IS_ERR(th)) { |
| 192 | TEMP_TICKET_BUF_LEN); | 170 | ret = PTR_ERR(th); |
| 193 | if (dlen <= 0) { | 171 | goto out; |
| 194 | ret = dlen; | 172 | } |
| 195 | goto out; | ||
| 196 | } | ||
| 197 | dout(" decrypted %d bytes\n", dlen); | ||
| 198 | dend = dbuf + dlen; | ||
| 199 | dp = dbuf; | ||
| 200 | 173 | ||
| 201 | tkt_struct_v = ceph_decode_8(&dp); | 174 | /* blob for me */ |
| 202 | if (tkt_struct_v != 1) | 175 | dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); |
| 203 | goto bad; | 176 | if (dlen <= 0) { |
| 177 | ret = dlen; | ||
| 178 | goto out; | ||
| 179 | } | ||
| 180 | dout(" decrypted %d bytes\n", dlen); | ||
| 181 | dp = dbuf; | ||
| 182 | dend = dp + dlen; | ||
| 204 | 183 | ||
| 205 | memcpy(&old_key, &th->session_key, sizeof(old_key)); | 184 | tkt_struct_v = ceph_decode_8(&dp); |
| 206 | ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); | 185 | if (tkt_struct_v != 1) |
| 207 | if (ret) | 186 | goto bad; |
| 208 | goto out; | ||
| 209 | 187 | ||
| 210 | ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); | 188 | memcpy(&old_key, &th->session_key, sizeof(old_key)); |
| 211 | ceph_decode_timespec(&validity, &new_validity); | 189 | ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); |
| 212 | new_expires = get_seconds() + validity.tv_sec; | 190 | if (ret) |
| 213 | new_renew_after = new_expires - (validity.tv_sec / 4); | 191 | goto out; |
| 214 | dout(" expires=%lu renew_after=%lu\n", new_expires, | ||
| 215 | new_renew_after); | ||
| 216 | 192 | ||
| 217 | /* ticket blob for service */ | 193 | ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); |
| 218 | ceph_decode_8_safe(&p, end, is_enc, bad); | 194 | ceph_decode_timespec(&validity, &new_validity); |
| 219 | tp = ticket_buf; | 195 | new_expires = get_seconds() + validity.tv_sec; |
| 220 | if (is_enc) { | 196 | new_renew_after = new_expires - (validity.tv_sec / 4); |
| 221 | /* encrypted */ | 197 | dout(" expires=%lu renew_after=%lu\n", new_expires, |
| 222 | dout(" encrypted ticket\n"); | 198 | new_renew_after); |
| 223 | dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, | 199 | |
| 224 | TEMP_TICKET_BUF_LEN); | 200 | /* ticket blob for service */ |
| 225 | if (dlen < 0) { | 201 | ceph_decode_8_safe(p, end, is_enc, bad); |
| 226 | ret = dlen; | 202 | if (is_enc) { |
| 227 | goto out; | 203 | /* encrypted */ |
| 228 | } | 204 | dout(" encrypted ticket\n"); |
| 229 | dlen = ceph_decode_32(&tp); | 205 | dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); |
| 230 | } else { | 206 | if (dlen < 0) { |
| 231 | /* unencrypted */ | 207 | ret = dlen; |
| 232 | ceph_decode_32_safe(&p, end, dlen, bad); | 208 | goto out; |
| 233 | ceph_decode_need(&p, end, dlen, bad); | ||
| 234 | ceph_decode_copy(&p, ticket_buf, dlen); | ||
| 235 | } | 209 | } |
| 236 | tpend = tp + dlen; | 210 | tp = ticket_buf; |
| 237 | dout(" ticket blob is %d bytes\n", dlen); | 211 | dlen = ceph_decode_32(&tp); |
| 238 | ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); | 212 | } else { |
| 239 | blob_struct_v = ceph_decode_8(&tp); | 213 | /* unencrypted */ |
| 240 | new_secret_id = ceph_decode_64(&tp); | 214 | ceph_decode_32_safe(p, end, dlen, bad); |
| 241 | ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); | 215 | ticket_buf = kmalloc(dlen, GFP_NOFS); |
| 242 | if (ret) | 216 | if (!ticket_buf) { |
| 217 | ret = -ENOMEM; | ||
| 243 | goto out; | 218 | goto out; |
| 244 | 219 | } | |
| 245 | /* all is well, update our ticket */ | 220 | tp = ticket_buf; |
| 246 | ceph_crypto_key_destroy(&th->session_key); | 221 | ceph_decode_need(p, end, dlen, bad); |
| 247 | if (th->ticket_blob) | 222 | ceph_decode_copy(p, ticket_buf, dlen); |
| 248 | ceph_buffer_put(th->ticket_blob); | ||
| 249 | th->session_key = new_session_key; | ||
| 250 | th->ticket_blob = new_ticket_blob; | ||
| 251 | th->validity = new_validity; | ||
| 252 | th->secret_id = new_secret_id; | ||
| 253 | th->expires = new_expires; | ||
| 254 | th->renew_after = new_renew_after; | ||
| 255 | dout(" got ticket service %d (%s) secret_id %lld len %d\n", | ||
| 256 | type, ceph_entity_type_name(type), th->secret_id, | ||
| 257 | (int)th->ticket_blob->vec.iov_len); | ||
| 258 | xi->have_keys |= th->service; | ||
| 259 | } | 223 | } |
| 224 | tpend = tp + dlen; | ||
| 225 | dout(" ticket blob is %d bytes\n", dlen); | ||
| 226 | ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); | ||
| 227 | blob_struct_v = ceph_decode_8(&tp); | ||
| 228 | new_secret_id = ceph_decode_64(&tp); | ||
| 229 | ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); | ||
| 230 | if (ret) | ||
| 231 | goto out; | ||
| 232 | |||
| 233 | /* all is well, update our ticket */ | ||
| 234 | ceph_crypto_key_destroy(&th->session_key); | ||
| 235 | if (th->ticket_blob) | ||
| 236 | ceph_buffer_put(th->ticket_blob); | ||
| 237 | th->session_key = new_session_key; | ||
| 238 | th->ticket_blob = new_ticket_blob; | ||
| 239 | th->validity = new_validity; | ||
| 240 | th->secret_id = new_secret_id; | ||
| 241 | th->expires = new_expires; | ||
| 242 | th->renew_after = new_renew_after; | ||
| 243 | dout(" got ticket service %d (%s) secret_id %lld len %d\n", | ||
| 244 | type, ceph_entity_type_name(type), th->secret_id, | ||
| 245 | (int)th->ticket_blob->vec.iov_len); | ||
| 246 | xi->have_keys |= th->service; | ||
| 260 | 247 | ||
| 261 | ret = 0; | ||
| 262 | out: | 248 | out: |
| 263 | kfree(ticket_buf); | 249 | kfree(ticket_buf); |
| 264 | out_dbuf: | ||
| 265 | kfree(dbuf); | 250 | kfree(dbuf); |
| 266 | return ret; | 251 | return ret; |
| 267 | 252 | ||
| @@ -270,6 +255,34 @@ bad: | |||
| 270 | goto out; | 255 | goto out; |
| 271 | } | 256 | } |
| 272 | 257 | ||
| 258 | static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, | ||
| 259 | struct ceph_crypto_key *secret, | ||
| 260 | void *buf, void *end) | ||
| 261 | { | ||
| 262 | void *p = buf; | ||
| 263 | u8 reply_struct_v; | ||
| 264 | u32 num; | ||
| 265 | int ret; | ||
| 266 | |||
| 267 | ceph_decode_8_safe(&p, end, reply_struct_v, bad); | ||
| 268 | if (reply_struct_v != 1) | ||
| 269 | return -EINVAL; | ||
| 270 | |||
| 271 | ceph_decode_32_safe(&p, end, num, bad); | ||
| 272 | dout("%d tickets\n", num); | ||
| 273 | |||
| 274 | while (num--) { | ||
| 275 | ret = process_one_ticket(ac, secret, &p, end); | ||
| 276 | if (ret) | ||
| 277 | return ret; | ||
| 278 | } | ||
| 279 | |||
| 280 | return 0; | ||
| 281 | |||
| 282 | bad: | ||
| 283 | return -EINVAL; | ||
| 284 | } | ||
| 285 | |||
| 273 | static int ceph_x_build_authorizer(struct ceph_auth_client *ac, | 286 | static int ceph_x_build_authorizer(struct ceph_auth_client *ac, |
| 274 | struct ceph_x_ticket_handler *th, | 287 | struct ceph_x_ticket_handler *th, |
| 275 | struct ceph_x_authorizer *au) | 288 | struct ceph_x_authorizer *au) |
| @@ -583,13 +596,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, | |||
| 583 | struct ceph_x_ticket_handler *th; | 596 | struct ceph_x_ticket_handler *th; |
| 584 | int ret = 0; | 597 | int ret = 0; |
| 585 | struct ceph_x_authorize_reply reply; | 598 | struct ceph_x_authorize_reply reply; |
| 599 | void *preply = &reply; | ||
| 586 | void *p = au->reply_buf; | 600 | void *p = au->reply_buf; |
| 587 | void *end = p + sizeof(au->reply_buf); | 601 | void *end = p + sizeof(au->reply_buf); |
| 588 | 602 | ||
| 589 | th = get_ticket_handler(ac, au->service); | 603 | th = get_ticket_handler(ac, au->service); |
| 590 | if (IS_ERR(th)) | 604 | if (IS_ERR(th)) |
| 591 | return PTR_ERR(th); | 605 | return PTR_ERR(th); |
| 592 | ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); | 606 | ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); |
| 593 | if (ret < 0) | 607 | if (ret < 0) |
| 594 | return ret; | 608 | return ret; |
| 595 | if (ret != sizeof(reply)) | 609 | if (ret != sizeof(reply)) |
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c index 067d3af2eaf6..61fcfc304f68 100644 --- a/net/ceph/mon_client.c +++ b/net/ceph/mon_client.c | |||
| @@ -1181,7 +1181,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con, | |||
| 1181 | if (!m) { | 1181 | if (!m) { |
| 1182 | pr_info("alloc_msg unknown type %d\n", type); | 1182 | pr_info("alloc_msg unknown type %d\n", type); |
| 1183 | *skip = 1; | 1183 | *skip = 1; |
| 1184 | } else if (front_len > m->front_alloc_len) { | ||
| 1185 | pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", | ||
| 1186 | front_len, m->front_alloc_len, | ||
| 1187 | (unsigned int)con->peer_name.type, | ||
| 1188 | le64_to_cpu(con->peer_name.num)); | ||
| 1189 | ceph_msg_put(m); | ||
| 1190 | m = ceph_msg_new(type, front_len, GFP_NOFS, false); | ||
| 1184 | } | 1191 | } |
| 1192 | |||
| 1185 | return m; | 1193 | return m; |
| 1186 | } | 1194 | } |
| 1187 | 1195 | ||