lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201019152301.GC32403@fieldses.org>
Date:   Mon, 19 Oct 2020 11:23:01 -0400
From:   "J. Bruce Fields" <bfields@...ldses.org>
To:     Martijn de Gouw <martijn.de.gouw@...drive-technologies.com>
Cc:     Trond Myklebust <trond.myklebust@...merspace.com>,
        Anna Schumaker <anna.schumaker@...app.com>,
        Chuck Lever <chuck.lever@...cle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Arnd Bergmann <arnd@...db.de>, NeilBrown <neilb@...e.de>,
        Alexey Dobriyan <adobriyan@...il.com>,
        Roberto Bergantinos Corpas <rbergant@...hat.com>,
        "open list:NFS, SUNRPC, AND LOCKD CLIENTS" 
        <linux-nfs@...r.kernel.org>,
        "open list:NETWORKING [GENERAL]" <netdev@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] SUNRPC: fix copying of multiple pages in
 gss_read_proxy_verf()

On Mon, Oct 19, 2020 at 01:42:27PM +0200, Martijn de Gouw wrote:
> When the passed token is longer than 4032 bytes, the remaining part
> of the token must be copied from the rqstp->rq_arg.pages. But the
> copy must make sure it happens in a consecutive way.

Thanks.  Apologies, but I don't immediately see where the copy is
non-consecutive.  What exactly is the bug in the existing code?

--b.

> 
> Signed-off-by: Martijn de Gouw <martijn.de.gouw@...drive-technologies.com>
> ---
>  net/sunrpc/auth_gss/svcauth_gss.c | 27 +++++++++++++++++----------
>  1 file changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> index 258b04372f85..bd4678db9d76 100644
> --- a/net/sunrpc/auth_gss/svcauth_gss.c
> +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> @@ -1147,9 +1147,9 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
>  			       struct gssp_in_token *in_token)
>  {
>  	struct kvec *argv = &rqstp->rq_arg.head[0];
> -	unsigned int page_base, length;
> -	int pages, i, res;
> -	size_t inlen;
> +	unsigned int length, pgto_offs, pgfrom_offs;
> +	int pages, i, res, pgto, pgfrom;
> +	size_t inlen, to_offs, from_offs;
>  
>  	res = gss_read_common_verf(gc, argv, authp, in_handle);
>  	if (res)
> @@ -1177,17 +1177,24 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
>  	memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
>  	inlen -= length;
>  
> -	i = 1;
> -	page_base = rqstp->rq_arg.page_base;
> +	to_offs = length;
> +	from_offs = rqstp->rq_arg.page_base;
>  	while (inlen) {
> -		length = min_t(unsigned int, inlen, PAGE_SIZE);
> -		memcpy(page_address(in_token->pages[i]),
> -		       page_address(rqstp->rq_arg.pages[i]) + page_base,
> +		pgto = to_offs >> PAGE_SHIFT;
> +		pgfrom = from_offs >> PAGE_SHIFT;
> +		pgto_offs = to_offs & ~PAGE_MASK;
> +		pgfrom_offs = from_offs & ~PAGE_MASK;
> +
> +		length = min_t(unsigned int, inlen,
> +			 min_t(unsigned int, PAGE_SIZE - pgto_offs,
> +			       PAGE_SIZE - pgfrom_offs));
> +		memcpy(page_address(in_token->pages[pgto]) + pgto_offs,
> +		       page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs,
>  		       length);
>  
> +		to_offs += length;
> +		from_offs += length;
>  		inlen -= length;
> -		page_base = 0;
> -		i++;
>  	}
>  	return 0;
>  }
> -- 
> 2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ