aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/crypto.c
diff options
context:
space:
mode:
authorEric Sandeen <sandeen@redhat.com>2008-10-29 17:01:08 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-10-30 14:38:46 -0400
commit87b811c3f96559e466403e22b1fa99d472571625 (patch)
tree319179f5d9a1cffaa3ae32aa41076d0fb10aab10 /fs/ecryptfs/crypto.c
parentce05fcc30ea41c85f9d50bee1ce289f7cb7fb223 (diff)
ecryptfs: fix memory corruption when storing crypto info in xattrs
When ecryptfs allocates space to write crypto headers into, before copying it out to file headers or to xattrs, it looks at the value of crypt_stat->num_header_bytes_at_front to determine how much space it needs. This is also used as the file offset to the actual encrypted data, so for xattr-stored crypto info, the value was zero. So, we kzalloc'd 0 bytes, and then ran off to write to that memory. (Which returned as ZERO_SIZE_PTR, so we explode quickly). The right answer is to always allocate a page to write into; the current code won't ever write more than that (this is enforced by the (PAGE_CACHE_SIZE - offset) length in the call to ecryptfs_generate_key_packet_set). To be explicit about this, we now send in a "max" parameter, rather than magically using PAGE_CACHE_SIZE there. Also, since the pointer we pass down the callchain eventually gets the virt_to_page() treatment, we should be using a alloc_page variant, not kzalloc (see also 7fcba054373d5dfc43d26e243a5c9b92069972ee) Signed-off-by: Eric Sandeen <sandeen@redhat.com> Acked-by: Michael Halcrow <mhalcrow@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs/crypto.c')
-rw-r--r--fs/ecryptfs/crypto.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 06db79d05c12..6046239465a1 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -1251,6 +1251,7 @@ struct kmem_cache *ecryptfs_header_cache_2;
1251/** 1251/**
1252 * ecryptfs_write_headers_virt 1252 * ecryptfs_write_headers_virt
1253 * @page_virt: The virtual address to write the headers to 1253 * @page_virt: The virtual address to write the headers to
1254 * @max: The size of memory allocated at page_virt
1254 * @size: Set to the number of bytes written by this function 1255 * @size: Set to the number of bytes written by this function
1255 * @crypt_stat: The cryptographic context 1256 * @crypt_stat: The cryptographic context
1256 * @ecryptfs_dentry: The eCryptfs dentry 1257 * @ecryptfs_dentry: The eCryptfs dentry
@@ -1278,7 +1279,8 @@ struct kmem_cache *ecryptfs_header_cache_2;
1278 * 1279 *
1279 * Returns zero on success 1280 * Returns zero on success
1280 */ 1281 */
1281static int ecryptfs_write_headers_virt(char *page_virt, size_t *size, 1282static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1283 size_t *size,
1282 struct ecryptfs_crypt_stat *crypt_stat, 1284 struct ecryptfs_crypt_stat *crypt_stat,
1283 struct dentry *ecryptfs_dentry) 1285 struct dentry *ecryptfs_dentry)
1284{ 1286{
@@ -1296,7 +1298,7 @@ static int ecryptfs_write_headers_virt(char *page_virt, size_t *size,
1296 offset += written; 1298 offset += written;
1297 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, 1299 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1298 ecryptfs_dentry, &written, 1300 ecryptfs_dentry, &written,
1299 PAGE_CACHE_SIZE - offset); 1301 max - offset);
1300 if (rc) 1302 if (rc)
1301 ecryptfs_printk(KERN_WARNING, "Error generating key packet " 1303 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1302 "set; rc = [%d]\n", rc); 1304 "set; rc = [%d]\n", rc);
@@ -1368,14 +1370,14 @@ int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1368 goto out; 1370 goto out;
1369 } 1371 }
1370 /* Released in this function */ 1372 /* Released in this function */
1371 virt = kzalloc(crypt_stat->num_header_bytes_at_front, GFP_KERNEL); 1373 virt = (char *)get_zeroed_page(GFP_KERNEL);
1372 if (!virt) { 1374 if (!virt) {
1373 printk(KERN_ERR "%s: Out of memory\n", __func__); 1375 printk(KERN_ERR "%s: Out of memory\n", __func__);
1374 rc = -ENOMEM; 1376 rc = -ENOMEM;
1375 goto out; 1377 goto out;
1376 } 1378 }
1377 rc = ecryptfs_write_headers_virt(virt, &size, crypt_stat, 1379 rc = ecryptfs_write_headers_virt(virt, PAGE_CACHE_SIZE, &size,
1378 ecryptfs_dentry); 1380 crypt_stat, ecryptfs_dentry);
1379 if (unlikely(rc)) { 1381 if (unlikely(rc)) {
1380 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", 1382 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1381 __func__, rc); 1383 __func__, rc);
@@ -1393,8 +1395,7 @@ int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1393 goto out_free; 1395 goto out_free;
1394 } 1396 }
1395out_free: 1397out_free:
1396 memset(virt, 0, crypt_stat->num_header_bytes_at_front); 1398 free_page((unsigned long)virt);
1397 kfree(virt);
1398out: 1399out:
1399 return rc; 1400 return rc;
1400} 1401}