07 Sep, 2013
2 commits
-
It might be possible for two callers to race the mutex lock after the
NULL ctx check. Instead, move the lock above the check so there isn't
the possibility of leaking a crypto ctx. Additionally, report the full
algo name when failing.Signed-off-by: Kees Cook
[tyhicks: remove out label, which is no longer used]
Signed-off-by: Tyler Hicks -
It doesn't make sense to check if an array is NULL. The compiler just
removes the check.Signed-off-by: Dan Carpenter
Signed-off-by: Tyler Hicks
12 Jul, 2013
1 commit
-
…el/git/tyhicks/ecryptfs
Pull eCryptfs updates from Tyler Hicks:
"Code cleanups and improved buffer handling during page crypto
operations:
- Remove redundant code by merging some encrypt and decrypt functions
- Get rid of a helper page allocation during page decryption by using
in-place decryption
- Better use of entire pages during page crypto operations
- Several code cleanups"* tag 'ecryptfs-3.11-rc1-cleanup' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
Use ecryptfs_dentry_to_lower_path in a couple of places
eCryptfs: Make extent and scatterlist crypt function parameters similar
eCryptfs: Collapse crypt_page_offset() into crypt_extent()
eCryptfs: Merge ecryptfs_encrypt_extent() and ecryptfs_decrypt_extent()
eCryptfs: Combine page_offset crypto functions
eCryptfs: Combine encrypt_scatterlist() and decrypt_scatterlist()
eCryptfs: Decrypt pages in-place
eCryptfs: Accept one offset parameter in page offset crypto functions
eCryptfs: Simplify lower file offset calculation
eCryptfs: Read/write entire page during page IO
eCryptfs: Use entire helper page during page crypto operations
eCryptfs: Cocci spatch "memdup.spatch"
29 Jun, 2013
1 commit
-
Signed-off-by: Al Viro
08 Jun, 2013
10 commits
-
The 'dest' abbreviation is only used in crypt_scatterlist(), while all
other functions in crypto.c use 'dst' so dest_sg should be renamed to
dst_sg.The crypt_stat parameter is typically the first parameter in internal
eCryptfs functions so crypt_stat and dst_page should be swapped in
crypt_extent().Signed-off-by: Tyler Hicks
-
crypt_page_offset() simply initialized the two scatterlists and called
crypt_scatterlist() so it is simple enough to move into the only
function that calls it.Signed-off-by: Tyler Hicks
-
They are identical except if the src_page or dst_page index is used, so
they can be merged safely if page_index is conditionally assigned.Signed-off-by: Tyler Hicks
-
Combine ecryptfs_encrypt_page_offset() and
ecryptfs_decrypt_page_offset(). These two functions are functionally
identical so they can be safely merged if the caller can indicate
whether an encryption or decryption operation should occur.Signed-off-by: Tyler Hicks
-
These two functions are identical except for a debug printk and whether
they call crypto_ablkcipher_encrypt() or crypto_ablkcipher_decrypt(), so
they can be safely merged if the caller can indicate if encryption or
decryption should occur.The debug printk is useless so it is removed.
Two new #define's are created to indicate if an ENCRYPT or DECRYPT
operation is desired.Signed-off-by: Tyler Hicks
-
When reading in a page, eCryptfs would allocate a helper page, fill it
with encrypted data from the lower filesytem, and then decrypt the data
from the encrypted page and store the result in the eCryptfs page cache
page.The crypto API supports in-place crypto operations which means that the
allocation of the helper page is unnecessary when decrypting. This patch
gets rid of the unneeded page allocation by reading encrypted data from
the lower filesystem directly into the page cache page. The page cache
page is then decrypted in-place.Signed-off-by: Tyler Hicks
-
There is no longer a need to accept different offset values for the
source and destination pages when encrypting/decrypting an extent in an
eCryptfs page. The two offsets can be collapsed into a single parameter.Signed-off-by: Tyler Hicks
-
Now that lower filesystem IO operations occur for complete
PAGE_CACHE_SIZE bytes, the calculation for converting an eCryptfs extent
index into a lower file offset can be simplified.Signed-off-by: Tyler Hicks
-
When reading and writing encrypted pages, perform IO using the entire
page all at once rather than 4096 bytes at a time.This only affects architectures where PAGE_CACHE_SIZE is larger than
4096 bytes.Signed-off-by: Tyler Hicks
-
When encrypting eCryptfs pages and decrypting pages from the lower
filesystem, utilize the entire helper page rather than only the first
4096 bytes.This only affects architectures where PAGE_CACHE_SIZE is larger than
4096 bytes.Signed-off-by: Tyler Hicks
10 May, 2013
1 commit
-
Make the switch from the blkcipher kernel crypto interface to the
ablkcipher interface.encrypt_scatterlist() and decrypt_scatterlist() now use the ablkcipher
interface but, from the eCryptfs standpoint, still treat the crypto
operation as a synchronous operation. They submit the async request and
then wait until the operation is finished before they return. Most of
the changes are contained inside those two functions.Despite waiting for the completion of the crypto operation, the
ablkcipher interface provides performance increases in most cases when
used on AES-NI capable hardware.Signed-off-by: Tyler Hicks
Acked-by: Colin King
Reviewed-by: Zeev Zilberman
Cc: Dustin Kirkland
Cc: Tim Chen
Cc: Ying Huang
Cc: Thieu Le
Cc: Li Wang
Cc: Jarkko Sakkinen
29 Jan, 2013
1 commit
-
This is always called with a valid "sg" pointer. My static checker
complains because the call to sg_init_table() dereferences "sg" before
we reach the checks.Signed-off-by: Dan Carpenter
Signed-off-by: Tyler Hicks
19 Dec, 2012
1 commit
-
the function ecryptfs_encode_for_filename() is only used in this file
Signed-off-by: Cong Ding
Signed-off-by: Tyler Hicks
17 Feb, 2012
1 commit
-
statfs() calls on eCryptfs files returned the wrong filesystem type and,
when using filename encryption, the wrong maximum filename length.If mount-wide filename encryption is enabled, the cipher block size and
the lower filesystem's max filename length will determine the max
eCryptfs filename length. Pre-tested, known good lengths are used when
the lower filesystem's namelen is 255 and a cipher with 8 or 16 byte
block sizes is used. In other, less common cases, we fall back to a safe
rounded-down estimate when determining the eCryptfs namelen.https://launchpad.net/bugs/885744
Signed-off-by: Tyler Hicks
Reported-by: Kees Cook
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
26 Jan, 2012
3 commits
-
If pages passed to the eCryptfs extent-based crypto functions are not
mapped and the module parameter ecryptfs_verbosity=1 was specified at
loading time, a NULL pointer dereference will occur.Note that this wouldn't happen on a production system, as you wouldn't
pass ecryptfs_verbosity=1 on a production system. It leaks private
information to the system logs and is for debugging only.The debugging info printed in these messages is no longer very useful
and rather than doing a kmap() in these debugging paths, it will be
better to simply remove the debugging paths completely.https://launchpad.net/bugs/913651
Signed-off-by: Tyler Hicks
Reported-by: Daniel DeFreez
Cc: -
Removes unneeded variable initialization in ecryptfs_read_metadata(). Also adds
a small comment to help explain metadata reading logic.[tyhicks@canonical.com: Pulled out of for-stable patch and wrote commit msg]
Signed-off-by: Tim Gardner
Signed-off-by: Tyler Hicks -
Print inode on metadata read failure. The only real
way of dealing with metadata read failures is to delete
the underlying file system file. Having the inode
allows one to 'find . -inum INODE`.[tyhicks@canonical.com: Removed some minor not-for-stable parts]
Signed-off-by: Tim Gardner
Reviewed-by: Kees Cook
Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks
24 Nov, 2011
2 commits
-
From mhalcrow's original commit message:
Characters with ASCII values greater than the size of
filename_rev_map[] are valid filename characters.
ecryptfs_decode_from_filename() will access kernel memory beyond
that array, and ecryptfs_parse_tag_70_packet() will then decrypt
those characters. The attacker, using the FNEK of the crafted file,
can then re-encrypt the characters to reveal the kernel memory past
the end of the filename_rev_map[] array. I expect low security
impact since this array is statically allocated in the text area,
and the amount of memory past the array that is accessible is
limited by the largest possible ASCII filename character.This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.Signed-off-by: Tyler Hicks
Reported-by: Michael Halcrow
Cc: stable@kernel.org -
The file creation path prematurely called d_instantiate() and
unlock_new_inode() before the eCryptfs inode info was fully
allocated and initialized and before the eCryptfs metadata was written
to the lower file.This could result in race conditions in subsequent file and inode
operations leading to unexpected error conditions or a null pointer
dereference while attempting to use the unallocated memory.https://launchpad.net/bugs/813146
Signed-off-by: Tyler Hicks
Cc: stable@kernel.org
30 May, 2011
4 commits
-
Now that ecryptfs_lookup_interpose() is no longer using
ecryptfs_header_cache_2 to read in metadata, the kmem_cache can be
removed and the ecryptfs_header_cache_1 kmem_cache can be renamed to
ecryptfs_header_cache.Signed-off-by: Tyler Hicks
-
ecryptfs_lookup_interpose() has turned into spaghetti code over the
years. This is an effort to clean it up.- Shorten overly descriptive variable names such as ecryptfs_dentry
- Simplify gotos and error paths
- Create helper function for reading plaintext i_size from metadataIt also includes an optimization when reading i_size from the metadata.
A complete page-sized kmem_cache_alloc() was being done to read in 16
bytes of metadata. The buffer for that is now statically declared.Signed-off-by: Tyler Hicks
-
Instead of having the calling functions translate the true/false return
code to either 0 or -EINVAL, have contains_ecryptfs_marker() return 0 or
-EINVAL so that the calling functions can just reuse the return code.Also, rename the function to ecryptfs_validate_marker() to avoid callers
mistakenly thinking that it returns true/false codes.Signed-off-by: Tyler Hicks
-
Only unlock and d_add() new inodes after the plaintext inode size has
been read from the lower filesystem. This fixes a race condition that
was sometimes seen during a multi-job kernel build in an eCryptfs mount.https://bugzilla.kernel.org/show_bug.cgi?id=36002
Signed-off-by: Tyler Hicks
Reported-by: David
Tested-by: David
26 Apr, 2011
1 commit
-
When failing to read the lower file's crypto metadata during a lookup,
eCryptfs must continue on without throwing an error. For example, there
may be a plaintext file in the lower mount point that the user wants to
delete through the eCryptfs mount.If an error is encountered while reading the metadata in lookup(), the
eCryptfs inode's size could be incorrect. We must be sure to reread the
plaintext inode size from the metadata when performing an open() or
setattr(). The metadata is already being read in those paths, so this
adds minimal performance overhead.This patch introduces a flag which will track whether or not the
plaintext inode size has been read so that an incorrect i_size can be
fixed in the open() or setattr() paths.https://bugs.launchpad.net/bugs/509180
Cc:
Signed-off-by: Tyler Hicks
28 Mar, 2011
2 commits
-
This patch removes the 'num_global_auth_toks' field of the
ecryptfs_mount_crypt_stat structure, used to count the number of items in
the 'global_auth_tok_list' list. This variable is not needed because there
are no checks based upon it.Signed-off-by: Roberto Sassu
Signed-off-by: Tyler Hicks -
When creating a new eCryptfs file, the crypto metadata is written out
and then the lower file was being "grown" with 4 kB of encrypted zeroes.
I suspect that growing the encrypted file was to prevent an information
leak that the unencrypted file was empty. However, the unencrypted file
size is stored, in plaintext, in the metadata so growing the file is
unnecessary.Signed-off-by: Tyler Hicks
18 Jan, 2011
2 commits
-
Commit cb55d21f6fa19d8c6c2680d90317ce88c1f57269 revealed a number of
missing 'z' length modifiers in calls to ecryptfs_printk() when
printing variables of type size_t. This patch fixes those compiler
warnings.Signed-off-by: Tyler Hicks
-
Add __attribute__((format... to __ecryptfs_printk
Make formats and arguments match.
Add casts to (unsigned long long) for %llu.Signed-off-by: Joe Perches
[tyhicks: 80 columns cleanup and fixed typo]
Signed-off-by: Tyler Hicks
27 Aug, 2010
2 commits
-
Fixes a regression caused by 21edad32205e97dc7ccb81a85234c77e760364c8
When file name encryption was enabled, ecryptfs_lookup() failed to use
the encrypted and encoded version of the upper, plaintext, file name
when performing a lookup in the lower file system. This made it
impossible to lookup existing encrypted file names and any newly created
files would have plaintext file names in the lower file system.https://bugs.launchpad.net/ecryptfs/+bug/623087
Signed-off-by: Tyler Hicks
-
Some ecryptfs init functions are not prefixed by __init and thus not
freed after initialization. This patch saved about 1kB in ecryptfs
module.Signed-off-by: Jerome Marchand
Signed-off-by: Tyler Hicks
17 Jun, 2010
1 commit
-
Signed-off-by: Uwe Kleine-König
Signed-off-by: Jiri Kosina
20 Apr, 2010
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6:
eCryptfs: Turn lower lookup error messages into debug messages
eCryptfs: Copy lower directory inode times and size on link
ecryptfs: fix use with tmpfs by removing d_drop from ecryptfs_destroy_inode
ecryptfs: fix error code for missing xattrs in lower fs
eCryptfs: Decrypt symlink target for stat size
eCryptfs: Strip metadata in xattr flag in encrypted view
eCryptfs: Clear buffer before reading in metadata xattr
eCryptfs: Rename ecryptfs_crypt_stat.num_header_bytes_at_front
eCryptfs: Fix metadata in xattr feature regression
30 Mar, 2010
1 commit
-
…it slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
24 Mar, 2010
3 commits
-
The ecryptfs_encrypted_view mount option provides a unified way of
viewing encrypted eCryptfs files. If the metadata is stored in a xattr,
the metadata is moved to the file header when the file is read inside
the eCryptfs mount. Because of this, we should strip the
ECRYPTFS_METADATA_IN_XATTR flag from the header's flag section. This
allows eCryptfs to treat the file as an eCryptfs file with a header
at the front.Reviewed-by: Eric Sandeen
Signed-off-by: Tyler Hicks -
We initially read in the first PAGE_CACHE_SIZE of a file to if the
eCryptfs header marker can be found. If it isn't found and
ecryptfs_xattr_metadata was given as a mount option, then the
user.ecryptfs xattr is read into the same buffer. Since the data from
the first page of the file wasn't cleared, it is possible that we think
we've found a second tag 3 or tag 1 packet and then error out after the
packet contents aren't as expected. This patch clears the buffer before
filling it with metadata from the user.ecryptfs xattr.Reviewed-by: Eric Sandeen
Signed-off-by: Tyler Hicks -
This patch renames the num_header_bytes_at_front variable to
metadata_size since it now contains the max size of the metadata.Reviewed-by: Eric Sandeen
Signed-off-by: Tyler Hicks