1. 06 Nov, 2017 3 commits
  2. 04 Nov, 2017 1 commit
  3. 12 Oct, 2017 1 commit
    • Eric Biggers's avatar
      ecryptfs: fix dereference of NULL user_key_payload · f66665c0
      Eric Biggers authored
      In eCryptfs, we failed to verify that the authentication token keys are
      not revoked before dereferencing their payloads, which is problematic
      because the payload of a revoked key is NULL.  request_key() *does* skip
      revoked keys, but there is still a window where the key can be revoked
      before we acquire the key semaphore.
      
      Fix it by updating ecryptfs_get_key_payload_data() to return
      -EKEYREVOKED if the key payload is NULL.  For completeness we check this
      for "encrypted" keys as well as "user" keys, although encrypted keys
      cannot be revoked currently.
      
      Alternatively we could use key_validate(), but since we'll also need to
      fix ecryptfs_get_key_payload_data() to validate the payload length, it
      seems appropriate to just check the payload pointer.
      
      Fixes: 237fead6 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v2.6.19+]
      Cc: Michael Halcrow <mhalcrow@google.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f66665c0
  4. 04 Apr, 2016 1 commit
    • Kirill A. Shutemov's avatar
      mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros · 09cbfeaf
      Kirill A. Shutemov authored
      PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
      ago with promise that one day it will be possible to implement page
      cache with bigger chunks than PAGE_SIZE.
      
      This promise never materialized.  And unlikely will.
      
      We have many places where PAGE_CACHE_SIZE assumed to be equal to
      PAGE_SIZE.  And it's constant source of confusion on whether
      PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
      especially on the border between fs and mm.
      
      Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
      breakage to be doable.
      
      Let's stop pretending that pages in page cache are special.  They are
      not.
      
      The changes are pretty straight-forward:
      
       - <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
      
       - <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
      
       - PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
      
       - page_cache_get() -> get_page();
      
       - page_cache_release() -> put_page();
      
      This patch contains automated changes generated with coccinelle using
      script below.  For some reason, coccinelle doesn't patch header files.
      I've called spatch for them manually.
      
      The only adjustment after coccinelle is revert of changes to
      PAGE_CAHCE_ALIGN definition: we are going to drop it later.
      
      There are few places in the code where coccinelle didn't reach.  I'll
      fix them manually in a separate patch.  Comments and documentation also
      will be addressed with the separate patch.
      
      virtual patch
      
      @@
      expression E;
      @@
      - E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
      + E
      
      @@
      expression E;
      @@
      - E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
      + E
      
      @@
      @@
      - PAGE_CACHE_SHIFT
      + PAGE_SHIFT
      
      @@
      @@
      - PAGE_CACHE_SIZE
      + PAGE_SIZE
      
      @@
      @@
      - PAGE_CACHE_MASK
      + PAGE_MASK
      
      @@
      expression E;
      @@
      - PAGE_CACHE_ALIGN(E)
      + PAGE_ALIGN(E)
      
      @@
      expression E;
      @@
      - page_cache_get(E)
      + get_page(E)
      
      @@
      expression E;
      @@
      - page_cache_release(E)
      + put_page(E)
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      09cbfeaf
  5. 17 Mar, 2016 1 commit
  6. 27 Jan, 2016 1 commit
  7. 25 Feb, 2015 1 commit
    • Colin Ian King's avatar
      eCryptfs: ensure copy to crypt_stat->cipher does not overrun · 2a559a8b
      Colin Ian King authored
      The patch 237fead6: "[PATCH] ecryptfs: fs/Makefile and
      fs/Kconfig" from Oct 4, 2006, leads to the following static checker
      warning:
      
        fs/ecryptfs/crypto.c:846 ecryptfs_new_file_context()
        error: off-by-one overflow 'crypt_stat->cipher' size 32.  rl = '0-32'
      
      There is a mismatch between the size of ecryptfs_crypt_stat.cipher
      and ecryptfs_mount_crypt_stat.global_default_cipher_name causing the
      copy of the cipher name to cause a off-by-one string copy error. This
      fix ensures the space reserved for this string is the same size including
      the trailing zero at the end throughout ecryptfs.
      
      This fix avoids increasing the size of ecryptfs_crypt_stat.cipher
      and also ecryptfs_parse_tag_70_packet_silly_stack.cipher_string and instead
      reduces the of ECRYPTFS_MAX_CIPHER_NAME_SIZE to 31 and includes the + 1 for
      the end of string terminator.
      
      NOTE: An overflow is not possible in practice since the value copied
      into global_default_cipher_name is validated by
      ecryptfs_code_for_cipher_string() at mount time. None of the allowed
      cipher strings are long enough to cause the potential buffer overflow
      fixed by this patch.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      [tyhicks: Added the NOTE about the overflow not being triggerable]
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      2a559a8b
  8. 29 Oct, 2014 1 commit
  9. 14 Jul, 2014 1 commit
  10. 03 Jul, 2014 1 commit
  11. 16 Oct, 2013 1 commit
  12. 04 Mar, 2013 1 commit
  13. 12 Feb, 2013 1 commit
  14. 17 Jan, 2013 1 commit
  15. 16 Feb, 2012 1 commit
  16. 25 Jan, 2012 1 commit
  17. 09 Aug, 2011 1 commit
  18. 29 Jul, 2011 1 commit
  19. 22 Jul, 2011 1 commit
  20. 27 Jun, 2011 1 commit
  21. 27 May, 2011 1 commit
    • Tyler Hicks's avatar
      eCryptfs: Allow 2 scatterlist entries for encrypted filenames · 8d08dab7
      Tyler Hicks authored
      The buffers allocated while encrypting and decrypting long filenames can
      sometimes straddle two pages. In this situation, virt_to_scatterlist()
      will return -ENOMEM, causing the operation to fail and the user will get
      scary error messages in their logs:
      
      kernel: ecryptfs_write_tag_70_packet: Internal error whilst attempting
      to convert filename memory to scatterlist; expected rc = 1; got rc =
      [-12]. block_aligned_filename_size = [272]
      kernel: ecryptfs_encrypt_filename: Error attempting to generate tag 70
      packet; rc = [-12]
      kernel: ecryptfs_encrypt_and_encode_filename: Error attempting to
      encrypt filename; rc = [-12]
      kernel: ecryptfs_lookup: Error attempting to encrypt and encode
      filename; rc = [-12]
      
      The solution is to allow up to 2 scatterlist entries to be used.
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      Cc: <stable@kernel.org>
      8d08dab7
  22. 28 Mar, 2011 6 commits
  23. 17 Jan, 2011 2 commits
  24. 29 Oct, 2010 3 commits
  25. 27 Aug, 2010 1 commit
  26. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  27. 23 Sep, 2009 4 commits
    • Tyler Hicks's avatar
      eCryptfs: Validate global auth tok keys · 38919598
      Tyler Hicks authored
      When searching through the global authentication tokens for a given key
      signature, verify that a matching key has not been revoked and has not
      expired.  This allows the `keyctl revoke` command to be properly used on
      keys in use by eCryptfs.
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Cc: ecryptfs-devel@lists.launchpad.net
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      38919598
    • Tyler Hicks's avatar
      eCryptfs: Filename encryption only supports password auth tokens · df6ad33b
      Tyler Hicks authored
      Returns -ENOTSUPP when attempting to use filename encryption with
      something other than a password authentication token, such as a private
      token from openssl.  Using filename encryption with a userspace eCryptfs
      key module is a future goal.  Until then, this patch handles the
      situation a little better than simply using a BUG_ON().
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Cc: ecryptfs-devel@lists.launchpad.net
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      df6ad33b
    • Tyler Hicks's avatar
      eCryptfs: Handle unrecognized tag 3 cipher codes · b0105eae
      Tyler Hicks authored
      Returns an error when an unrecognized cipher code is present in a tag 3
      packet or an ecryptfs_crypt_stat cannot be initialized.  Also sets an
      crypt_stat->tfm error pointer to NULL to ensure that it will not be
      incorrectly freed in ecryptfs_destroy_crypt_stat().
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Cc: ecryptfs-devel@lists.launchpad.net
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      b0105eae
    • Roland Dreier's avatar
      eCryptfs: Fix lockdep-reported AB-BA mutex issue · aa06117f
      Roland Dreier authored
      Lockdep reports the following valid-looking possible AB-BA deadlock with
      global_auth_tok_list_mutex and keysig_list_mutex:
      
        ecryptfs_new_file_context() ->
            ecryptfs_copy_mount_wide_sigs_to_inode_sigs() ->
                mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
                -> ecryptfs_add_keysig() ->
                    mutex_lock(&crypt_stat->keysig_list_mutex);
      
      vs
      
        ecryptfs_generate_key_packet_set() ->
            mutex_lock(&crypt_stat->keysig_list_mutex);
            -> ecryptfs_find_global_auth_tok_for_sig() ->
                mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
      
      ie the two mutexes are taken in opposite orders in the two different
      code paths.  I'm not sure if this is a real bug where two threads could
      actually hit the two paths in parallel and deadlock, but it at least
      makes lockdep impossible to use with ecryptfs since this report triggers
      every time and disables future lockdep reporting.
      
      Since ecryptfs_add_keysig() is called only from the single callsite in
      ecryptfs_copy_mount_wide_sigs_to_inode_sigs(), the simplest fix seems to
      be to move the lock of keysig_list_mutex back up outside of the where
      global_auth_tok_list_mutex is taken.  This patch does that, and fixes
      the lockdep report on my system (and ecryptfs still works OK).
      
      The full output of lockdep fixed by this patch is:
      
      =======================================================
      [ INFO: possible circular locking dependency detected ]
      2.6.31-2-generic #14~rbd2
      -------------------------------------------------------
      gdm/2640 is trying to acquire lock:
       (&mount_crypt_stat->global_auth_tok_list_mutex){+.+.+.}, at: [<ffffffff8121591e>] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
      
      but task is already holding lock:
       (&crypt_stat->keysig_list_mutex){+.+.+.}, at: [<ffffffff81217728>] ecryptfs_generate_key_packet_set+0x58/0x2b0
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&crypt_stat->keysig_list_mutex){+.+.+.}:
             [<ffffffff8108c897>] check_prev_add+0x2a7/0x370
             [<ffffffff8108cfc1>] validate_chain+0x661/0x750
             [<ffffffff8108d2e7>] __lock_acquire+0x237/0x430
             [<ffffffff8108d585>] lock_acquire+0xa5/0x150
             [<ffffffff815526cd>] __mutex_lock_common+0x4d/0x3d0
             [<ffffffff81552b56>] mutex_lock_nested+0x46/0x60
             [<ffffffff8121526a>] ecryptfs_add_keysig+0x5a/0xb0
             [<ffffffff81213299>] ecryptfs_copy_mount_wide_sigs_to_inode_sigs+0x59/0xb0
             [<ffffffff81214b06>] ecryptfs_new_file_context+0xa6/0x1a0
             [<ffffffff8120e42a>] ecryptfs_initialize_file+0x4a/0x140
             [<ffffffff8120e54d>] ecryptfs_create+0x2d/0x60
             [<ffffffff8113a7d4>] vfs_create+0xb4/0xe0
             [<ffffffff8113a8c4>] __open_namei_create+0xc4/0x110
             [<ffffffff8113d1c1>] do_filp_open+0xa01/0xae0
             [<ffffffff8112d8d9>] do_sys_open+0x69/0x140
             [<ffffffff8112d9f0>] sys_open+0x20/0x30
             [<ffffffff81013132>] system_call_fastpath+0x16/0x1b
             [<ffffffffffffffff>] 0xffffffffffffffff
      
      -> #0 (&mount_crypt_stat->global_auth_tok_list_mutex){+.+.+.}:
             [<ffffffff8108c675>] check_prev_add+0x85/0x370
             [<ffffffff8108cfc1>] validate_chain+0x661/0x750
             [<ffffffff8108d2e7>] __lock_acquire+0x237/0x430
             [<ffffffff8108d585>] lock_acquire+0xa5/0x150
             [<ffffffff815526cd>] __mutex_lock_common+0x4d/0x3d0
             [<ffffffff81552b56>] mutex_lock_nested+0x46/0x60
             [<ffffffff8121591e>] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
             [<ffffffff812177d5>] ecryptfs_generate_key_packet_set+0x105/0x2b0
             [<ffffffff81212f49>] ecryptfs_write_headers_virt+0xc9/0x120
             [<ffffffff8121306d>] ecryptfs_write_metadata+0xcd/0x200
             [<ffffffff8120e44b>] ecryptfs_initialize_file+0x6b/0x140
             [<ffffffff8120e54d>] ecryptfs_create+0x2d/0x60
             [<ffffffff8113a7d4>] vfs_create+0xb4/0xe0
             [<ffffffff8113a8c4>] __open_namei_create+0xc4/0x110
             [<ffffffff8113d1c1>] do_filp_open+0xa01/0xae0
             [<ffffffff8112d8d9>] do_sys_open+0x69/0x140
             [<ffffffff8112d9f0>] sys_open+0x20/0x30
             [<ffffffff81013132>] system_call_fastpath+0x16/0x1b
             [<ffffffffffffffff>] 0xffffffffffffffff
      
      other info that might help us debug this:
      
      2 locks held by gdm/2640:
       #0:  (&sb->s_type->i_mutex_key#11){+.+.+.}, at: [<ffffffff8113cb8b>] do_filp_open+0x3cb/0xae0
       #1:  (&crypt_stat->keysig_list_mutex){+.+.+.}, at: [<ffffffff81217728>] ecryptfs_generate_key_packet_set+0x58/0x2b0
      
      stack backtrace:
      Pid: 2640, comm: gdm Tainted: G         C 2.6.31-2-generic #14~rbd2
      Call Trace:
       [<ffffffff8108b988>] print_circular_bug_tail+0xa8/0xf0
       [<ffffffff8108c675>] check_prev_add+0x85/0x370
       [<ffffffff81094912>] ? __module_text_address+0x12/0x60
       [<ffffffff8108cfc1>] validate_chain+0x661/0x750
       [<ffffffff81017275>] ? print_context_stack+0x85/0x140
       [<ffffffff81089c68>] ? find_usage_backwards+0x38/0x160
       [<ffffffff8108d2e7>] __lock_acquire+0x237/0x430
       [<ffffffff8108d585>] lock_acquire+0xa5/0x150
       [<ffffffff8121591e>] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [<ffffffff8108b0b0>] ? check_usage_backwards+0x0/0xb0
       [<ffffffff815526cd>] __mutex_lock_common+0x4d/0x3d0
       [<ffffffff8121591e>] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [<ffffffff8121591e>] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [<ffffffff8108c02c>] ? mark_held_locks+0x6c/0xa0
       [<ffffffff81125b0d>] ? kmem_cache_alloc+0xfd/0x1a0
       [<ffffffff8108c34d>] ? trace_hardirqs_on_caller+0x14d/0x190
       [<ffffffff81552b56>] mutex_lock_nested+0x46/0x60
       [<ffffffff8121591e>] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [<ffffffff812177d5>] ecryptfs_generate_key_packet_set+0x105/0x2b0
       [<ffffffff81212f49>] ecryptfs_write_headers_virt+0xc9/0x120
       [<ffffffff8121306d>] ecryptfs_write_metadata+0xcd/0x200
       [<ffffffff81210240>] ? ecryptfs_init_persistent_file+0x60/0xe0
       [<ffffffff8120e44b>] ecryptfs_initialize_file+0x6b/0x140
       [<ffffffff8120e54d>] ecryptfs_create+0x2d/0x60
       [<ffffffff8113a7d4>] vfs_create+0xb4/0xe0
       [<ffffffff8113a8c4>] __open_namei_create+0xc4/0x110
       [<ffffffff8113d1c1>] do_filp_open+0xa01/0xae0
       [<ffffffff8129a93e>] ? _raw_spin_unlock+0x5e/0xb0
       [<ffffffff8155410b>] ? _spin_unlock+0x2b/0x40
       [<ffffffff81139e9b>] ? getname+0x3b/0x240
       [<ffffffff81148a5a>] ? alloc_fd+0xfa/0x140
       [<ffffffff8112d8d9>] do_sys_open+0x69/0x140
       [<ffffffff81553b8f>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       [<ffffffff8112d9f0>] sys_open+0x20/0x30
       [<ffffffff81013132>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
      aa06117f