mirror of
https://github.com/torvalds/linux.git
synced 2024-11-23 04:31:50 +00:00
5f24a8725f
Anna says:
> KASAN reports [...] a slab-out-of-bounds in gss_krb5_checksum(),
> and it can cause my client to panic when running cthon basic
> tests with krb5p.
> Running faddr2line gives me:
>
> gss_krb5_checksum+0x4b6/0x630:
> ahash_request_free at
> /home/anna/Programs/linux-nfs.git/./include/crypto/hash.h:619
> (inlined by) gss_krb5_checksum at
> /home/anna/Programs/linux-nfs.git/net/sunrpc/auth_gss/gss_krb5_crypto.c:358
My diagnosis is that the memcpy() at the end of gss_krb5_checksum()
reads past the end of the buffer containing the checksum data
because the callers have ignored gss_krb5_checksum()'s API contract:
* Caller provides the truncation length of the output token (h) in
* cksumout.len.
Instead they provide the fixed length of the hmac buffer. This
length happens to be larger than the value returned by
crypto_ahash_digestsize().
Change these errant callers to work like krb5_etm_{en,de}crypt().
As a defensive measure, bound the length of the byte copy at the
end of gss_krb5_checksum().
Kunit sez:
Testing complete. Ran 68 tests: passed: 68
Elapsed time: 81.680s total, 5.875s configuring, 75.610s building, 0.103s running
Reported-by: Anna Schumaker <schumaker.anna@gmail.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| auth_gss | ||
| xprtrdma | ||
| .kunitconfig | ||
| addr.c | ||
| auth_null.c | ||
| auth_unix.c | ||
| auth.c | ||
| backchannel_rqst.c | ||
| cache.c | ||
| clnt.c | ||
| debugfs.c | ||
| fail.h | ||
| Kconfig | ||
| Makefile | ||
| netns.h | ||
| rpc_pipe.c | ||
| rpcb_clnt.c | ||
| sched.c | ||
| socklib.c | ||
| socklib.h | ||
| stats.c | ||
| sunrpc_syms.c | ||
| sunrpc.h | ||
| svc_xprt.c | ||
| svc.c | ||
| svcauth_unix.c | ||
| svcauth.c | ||
| svcsock.c | ||
| sysctl.c | ||
| sysfs.c | ||
| sysfs.h | ||
| timer.c | ||
| xdr.c | ||
| xprt.c | ||
| xprtmultipath.c | ||
| xprtsock.c | ||