linux_dsm_epyc7002/drivers/md
Mikulas Patocka d49ec52ff6 dm crypt: fix access beyond the end of allocated space
The DM crypt target accesses memory beyond allocated space resulting in
a crash on 32 bit x86 systems.

This bug is very old (it dates back to 2.6.25 commit 3a7f6c990a "dm
crypt: use async crypto").  However, this bug was masked by the fact
that kmalloc rounds the size up to the next power of two.  This bug
wasn't exposed until 3.17-rc1 commit 298a9fa08a ("dm crypt: use per-bio
data").  By switching to using per-bio data there was no longer any
padding beyond the end of a dm-crypt allocated memory block.

To minimize allocation overhead dm-crypt puts several structures into one
block allocated with kmalloc.  The block holds struct ablkcipher_request,
cipher-specific scratch pad (crypto_ablkcipher_reqsize(any_tfm(cc))),
struct dm_crypt_request and an initialization vector.

The variable dmreq_start is set to offset of struct dm_crypt_request
within this memory block.  dm-crypt allocates the block with this size:
cc->dmreq_start + sizeof(struct dm_crypt_request) + cc->iv_size.

When accessing the initialization vector, dm-crypt uses the function
iv_of_dmreq, which performs this calculation: ALIGN((unsigned long)(dmreq
+ 1), crypto_ablkcipher_alignmask(any_tfm(cc)) + 1).

dm-crypt allocated "cc->iv_size" bytes beyond the end of dm_crypt_request
structure.  However, when dm-crypt accesses the initialization vector, it
takes a pointer to the end of dm_crypt_request, aligns it, and then uses
it as the initialization vector.  If the end of dm_crypt_request is not
aligned on a crypto_ablkcipher_alignmask(any_tfm(cc)) boundary the
alignment causes the initialization vector to point beyond the allocated
space.

Fix this bug by calculating the variable iv_size_padding and adding it
to the allocated size.

Also correct the alignment of dm_crypt_request.  struct dm_crypt_request
is specific to dm-crypt (it isn't used by the crypto subsystem at all),
so it is aligned on __alignof__(struct dm_crypt_request).

Also align per_bio_data_size on ARCH_KMALLOC_MINALIGN, so that it is
aligned as if the block was allocated with kmalloc.

Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Tested-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2014-08-28 14:24:09 -04:00
..
bcache bcache: Drop unneeded blk_sync_queue() calls 2014-08-04 15:23:04 -07:00
persistent-data
bitmap.c
bitmap.h
dm-bio-prison.c dm bio prison: implement per bucket locking in the dm_bio_prison hash table 2014-06-11 16:48:54 -04:00
dm-bio-prison.h
dm-bio-record.h
dm-bufio.c Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-08-04 16:23:30 -07:00
dm-bufio.h
dm-builtin.c
dm-cache-block-types.h
dm-cache-metadata.c dm cache metadata: use dm-space-map-metadata.h defined size limits 2014-08-01 12:30:33 -04:00
dm-cache-metadata.h dm cache metadata: use dm-space-map-metadata.h defined size limits 2014-08-01 12:30:33 -04:00
dm-cache-policy-cleaner.c
dm-cache-policy-internal.h
dm-cache-policy-mq.c
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c dm cache: set minimum_io_size to cache's data block size 2014-08-01 12:30:36 -04:00
dm-crypt.c dm crypt: fix access beyond the end of allocated space 2014-08-28 14:24:09 -04:00
dm-delay.c
dm-era-target.c
dm-exception-store.c
dm-exception-store.h
dm-flakey.c
dm-io.c dm io: simplify dec_count and sync_io 2014-08-01 12:30:30 -04:00
dm-ioctl.c
dm-kcopyd.c
dm-linear.c
dm-log-userspace-base.c
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log.c
dm-mpath.c dm mpath: eliminate pg_ready() wrapper 2014-08-01 12:30:31 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-queue-length.c
dm-raid1.c
dm-raid.c
dm-region-hash.c
dm-round-robin.c
dm-service-time.c
dm-snap-persistent.c
dm-snap-transient.c
dm-snap.c sched: Remove proliferation of wait_on_bit() action functions 2014-07-16 15:10:39 +02:00
dm-stats.c
dm-stats.h
dm-stripe.c
dm-switch.c dm switch: efficiently support repetitive patterns 2014-08-01 12:30:37 -04:00
dm-sysfs.c
dm-table.c dm table: propagate QUEUE_FLAG_NO_SG_MERGE 2014-08-10 20:54:49 -04:00
dm-target.c
dm-thin-metadata.c dm thin metadata: do not allow the data block size to change 2014-07-15 14:05:26 -04:00
dm-thin-metadata.h
dm-thin.c dm thin: set minimum_io_size to pool's data block size 2014-08-01 12:30:35 -04:00
dm-uevent.c
dm-uevent.h
dm-verity.c
dm-zero.c dm crypt, dm zero: update author name following legal name change 2014-07-10 16:44:14 -04:00
dm.c dm: allocate a special workqueue for deferred device removal 2014-07-10 16:44:13 -04:00
dm.h dm table: make dm_table_supports_discards static 2014-08-01 12:30:34 -04:00
faulty.c
Kconfig
linear.c
linear.h
Makefile
md.c md: don't allow bitmap file to be added to raid0/linear. 2014-08-08 15:43:20 +10:00
md.h
multipath.c
multipath.h
raid0.c md/raid0: check for bitmap compatability when changing raid levels. 2014-08-08 15:33:17 +10:00
raid0.h
raid1.c md/raid1,raid10: always abort recover on write error. 2014-07-31 10:16:52 +10:00
raid1.h
raid5.c md/raid6: avoid data corruption during recovery of double-degraded RAID6 2014-08-18 14:49:46 +10:00
raid5.h
raid10.c md/raid10: always initialise ->state on newly allocated r10_bio 2014-08-19 17:20:27 +10:00
raid10.h