linux/drivers/md
Mikulas Patocka d49ec52ff6 dm crypt: fix access beyond the end of allocated space
The DM crypt target accesses memory beyond allocated space resulting in
a crash on 32 bit x86 systems.

This bug is very old (it dates back to 2.6.25 commit 3a7f6c990a "dm
crypt: use async crypto").  However, this bug was masked by the fact
that kmalloc rounds the size up to the next power of two.  This bug
wasn't exposed until 3.17-rc1 commit 298a9fa08a ("dm crypt: use per-bio
data").  By switching to using per-bio data there was no longer any
padding beyond the end of a dm-crypt allocated memory block.

To minimize allocation overhead dm-crypt puts several structures into one
block allocated with kmalloc.  The block holds struct ablkcipher_request,
cipher-specific scratch pad (crypto_ablkcipher_reqsize(any_tfm(cc))),
struct dm_crypt_request and an initialization vector.

The variable dmreq_start is set to offset of struct dm_crypt_request
within this memory block.  dm-crypt allocates the block with this size:
cc->dmreq_start + sizeof(struct dm_crypt_request) + cc->iv_size.

When accessing the initialization vector, dm-crypt uses the function
iv_of_dmreq, which performs this calculation: ALIGN((unsigned long)(dmreq
+ 1), crypto_ablkcipher_alignmask(any_tfm(cc)) + 1).

dm-crypt allocated "cc->iv_size" bytes beyond the end of dm_crypt_request
structure.  However, when dm-crypt accesses the initialization vector, it
takes a pointer to the end of dm_crypt_request, aligns it, and then uses
it as the initialization vector.  If the end of dm_crypt_request is not
aligned on a crypto_ablkcipher_alignmask(any_tfm(cc)) boundary the
alignment causes the initialization vector to point beyond the allocated
space.

Fix this bug by calculating the variable iv_size_padding and adding it
to the allocated size.

Also correct the alignment of dm_crypt_request.  struct dm_crypt_request
is specific to dm-crypt (it isn't used by the crypto subsystem at all),
so it is aligned on __alignof__(struct dm_crypt_request).

Also align per_bio_data_size on ARCH_KMALLOC_MINALIGN, so that it is
aligned as if the block was allocated with kmalloc.

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Tested-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2014-08-28 14:24:09 -04:00
..
bcache bcache: Drop unneeded blk_sync_queue() calls 2014-08-04 15:23:04 -07:00
persistent-data dm transaction manager: fix corruption due to non-atomic transaction commit 2014-03-27 16:56:23 -04:00
bitmap.c md/bitmap: remove confusing code from filemap_get_page. 2014-05-29 16:59:47 +10:00
bitmap.h kernfs: s/sysfs_dirent/kernfs_node/ and rename its friends accordingly 2013-12-11 15:28:36 -08:00
dm-bio-prison.c dm bio prison: implement per bucket locking in the dm_bio_prison hash table 2014-06-11 16:48:54 -04:00
dm-bio-prison.h dm thin: return ENOSPC instead of EIO when error_if_no_space enabled 2014-06-03 13:44:08 -04:00
dm-bio-record.h dm: Refactor for new bio cloning/splitting 2013-11-23 22:33:55 -08:00
dm-bufio.c Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-08-04 16:23:30 -07:00
dm-bufio.h dm snapshot: use dm-bufio prefetch 2014-01-14 23:23:03 -05:00
dm-builtin.c dm sysfs: fix a module unload race 2014-01-14 23:23:04 -05:00
dm-cache-block-types.h dm cache: remove remainder of distinct discard block size 2014-03-27 16:56:23 -04:00
dm-cache-metadata.c dm cache metadata: use dm-space-map-metadata.h defined size limits 2014-08-01 12:30:33 -04:00
dm-cache-metadata.h dm cache metadata: use dm-space-map-metadata.h defined size limits 2014-08-01 12:30:33 -04:00
dm-cache-policy-cleaner.c
dm-cache-policy-internal.h dm cache: add remove_cblock method to policy interface 2013-11-11 11:37:50 -05:00
dm-cache-policy-mq.c dm cache mq: fix memory allocation failure for large cache devices 2014-02-28 12:18:29 -05:00
dm-cache-policy.c dm cache: add policy name to status output 2014-01-16 13:44:11 -05:00
dm-cache-policy.h dm cache: add policy name to status output 2014-01-16 13:44:11 -05:00
dm-cache-target.c dm cache: set minimum_io_size to cache's data block size 2014-08-01 12:30:36 -04:00
dm-crypt.c dm crypt: fix access beyond the end of allocated space 2014-08-28 14:24:09 -04:00
dm-delay.c Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
dm-era-target.c dm era: check for a non-NULL metadata object before closing it 2014-06-03 13:44:08 -04:00
dm-exception-store.c
dm-exception-store.h
dm-flakey.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
dm-io.c dm io: simplify dec_count and sync_io 2014-08-01 12:30:30 -04:00
dm-ioctl.c dm: allow remove to be deferred 2013-11-09 18:20:22 -05:00
dm-kcopyd.c dm: stop using WQ_NON_REENTRANT 2013-08-23 09:02:13 -04:00
dm-linear.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
dm-log-userspace-base.c dm log userspace: allow mark requests to piggyback on flush requests 2014-01-21 23:46:27 -05:00
dm-log-userspace-transfer.c connector: add portid to unicast in addition to broadcasting 2014-02-07 15:40:17 -08:00
dm-log-userspace-transfer.h
dm-log.c
dm-mpath.c dm mpath: eliminate pg_ready() wrapper 2014-08-01 12:30:31 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-queue-length.c
dm-raid1.c dm raid1: fix immutable biovec related BUG when retrying read bio 2014-02-18 10:48:57 -05:00
dm-raid.c MD: Remember the last sync operation that was performed 2013-06-26 12:38:24 +10:00
dm-region-hash.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
dm-round-robin.c
dm-service-time.c
dm-snap-persistent.c dm snapshot: fix metadata corruption 2014-03-03 17:58:13 -05:00
dm-snap-transient.c
dm-snap.c sched: Remove proliferation of wait_on_bit() action functions 2014-07-16 15:10:39 +02:00
dm-stats.c dm stats: initialize read-only module parameter 2013-12-10 19:13:21 -05:00
dm-stats.h dm: add statistics support 2013-09-05 20:46:06 -04:00
dm-stripe.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
dm-switch.c dm switch: efficiently support repetitive patterns 2014-08-01 12:30:37 -04:00
dm-sysfs.c dm sysfs: fix a module unload race 2014-01-14 23:23:04 -05:00
dm-table.c dm table: propagate QUEUE_FLAG_NO_SG_MERGE 2014-08-10 20:54:49 -04:00
dm-target.c dm: allow error target to replace bio-based and request-based targets 2013-09-05 20:46:05 -04:00
dm-thin-metadata.c dm thin metadata: do not allow the data block size to change 2014-07-15 14:05:26 -04:00
dm-thin-metadata.h dm thin: ensure user takes action to validate data and metadata consistency 2014-03-05 15:25:35 -05:00
dm-thin.c dm thin: set minimum_io_size to pool's data block size 2014-08-01 12:30:35 -04:00
dm-uevent.c
dm-uevent.h
dm-verity.c dm verity: fix biovecs hash calculation regression 2014-04-15 12:19:24 -04:00
dm-zero.c dm crypt, dm zero: update author name following legal name change 2014-07-10 16:44:14 -04:00
dm.c dm: allocate a special workqueue for deferred device removal 2014-07-10 16:44:13 -04:00
dm.h dm table: make dm_table_supports_discards static 2014-08-01 12:30:34 -04:00
faulty.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
Kconfig dm: add era target 2014-03-27 16:56:23 -04:00
linear.c block: Introduce new bio_split() 2013-11-23 22:33:57 -08:00
linear.h
Makefile dm: add era target 2014-03-27 16:56:23 -04:00
md.c md: don't allow bitmap file to be added to raid0/linear. 2014-08-08 15:43:20 +10:00
md.h md/bitmap: don't abuse i_writecount for bitmap files. 2014-04-09 12:26:59 +10:00
multipath.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
multipath.h
raid0.c md/raid0: check for bitmap compatability when changing raid levels. 2014-08-08 15:33:17 +10:00
raid0.h
raid1.c md/raid1,raid10: always abort recover on write error. 2014-07-31 10:16:52 +10:00
raid1.h raid1: Rewrite the implementation of iobarrier. 2013-11-19 15:19:18 +11:00
raid5.c md/raid6: avoid data corruption during recovery of double-degraded RAID6 2014-08-18 14:49:46 +10:00
raid5.h raid5: add an option to avoid copy data from bio to stripe cache 2014-05-29 16:59:47 +10:00
raid10.c md/raid10: always initialise ->state on newly allocated r10_bio 2014-08-19 17:20:27 +10:00
raid10.h