fscrypto: don't use on-stack buffer for key derivation

With the new (in 4.9) option to use a virtually-mapped stack
(CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
the scatterlist crypto API because they may not be directly mappable to
struct page.  get_crypt_info() was using a stack buffer to hold the
output from the encryption operation used to derive the per-file key.
Fix it by using a heap buffer.

This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
because this allowed the BUG in sg_set_buf() to be triggered.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 82f0285f5d084934d0c13d98d684fbbd3f69f3ed..67fb6d8876d06861a0048dbfe229cb95a867da6c 100644 (file)
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -185,7 +185,7 @@ int get_crypt_info(struct inode *inode)
        struct crypto_skcipher *ctfm;
        const char *cipher_str;
        int keysize;
-       u8 raw_key[FS_MAX_KEY_SIZE];
+       u8 *raw_key = NULL;
        int res;
 
        res = fscrypt_initialize();
@@ -238,6 +238,15 @@ retry:
        if (res)
                goto out;
 
+       /*
+        * This cannot be a stack buffer because it is passed to the scatterlist
+        * crypto API as part of key derivation.
+        */
+       res = -ENOMEM;
+       raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS);
+       if (!raw_key)
+               goto out;
+
        if (fscrypt_dummy_context_enabled(inode)) {
                memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE);
                goto got_key;
@@ -276,7 +285,8 @@ got_key:
        if (res)
                goto out;
 
-       memzero_explicit(raw_key, sizeof(raw_key));
+       kzfree(raw_key);
+       raw_key = NULL;
        if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
                put_crypt_info(crypt_info);
                goto retry;
@@ -287,7 +297,7 @@ out:
        if (res == -ENOKEY)
                res = 0;
        put_crypt_info(crypt_info);
-       memzero_explicit(raw_key, sizeof(raw_key));
+       kzfree(raw_key);
        return res;
 }