Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client

Pull Ceph fixes from Sage Weil:
 "The main thing here is a set of three patches that fix a buffer
  overrun for large authentication tickets (sigh).

  There is also a trivial warning fix and an error path fix that are
  both regressions"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  libceph: do not hard code max auth ticket len
  libceph: add process_one_ticket() helper
  libceph: gracefully handle large reply messages from the mon
  rbd: fix error return code in rbd_dev_device_setup()
  rbd: avoid format-security warning inside alloc_workqueue()
Linus Torvalds 11 years ago
parent
7ee2d2d671 c27a3e4d66
commit
c73f6fdf2f
3 changed files with 147 additions and 123 deletions
Split View Show Diff Stats
  1. 4 2
      drivers/block/rbd.c
  2. 135 121
      net/ceph/auth_x.c
  3. 8 0
      net/ceph/mon_client.c

+ 4 - 2
drivers/block/rbd.c
View File 

@@ -5087,9 +5087,11 @@ static int rbd_dev_device_setup(struct rbd_device *rbd_dev)
 
 	set_capacity(rbd_dev->disk, rbd_dev->mapping.size / SECTOR_SIZE);
 
 	set_disk_ro(rbd_dev->disk, rbd_dev->mapping.read_only);
 
 
-	rbd_dev->rq_wq = alloc_workqueue(rbd_dev->disk->disk_name, 0, 0);
 
-	if (!rbd_dev->rq_wq)
 
+	rbd_dev->rq_wq = alloc_workqueue("%s", 0, 0, rbd_dev->disk->disk_name);
 
+	if (!rbd_dev->rq_wq) {
 
+		ret = -ENOMEM;
 
 		goto err_out_mapping;
 
+	}
 
 
 	ret = rbd_bus_add_dev(rbd_dev);
 
 	if (ret)

+ 135 - 121
net/ceph/auth_x.c
View File 

@@ -13,8 +13,6 @@
 
 #include "auth_x.h"
 
 #include "auth_x_protocol.h"
 
 
-#define TEMP_TICKET_BUF_LEN	256
 
-
 
 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed);
 
 
 static int ceph_x_is_authenticated(struct ceph_auth_client *ac)
 
@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret,
 
 }
 
 
 static int ceph_x_decrypt(struct ceph_crypto_key *secret,
 
-			  void **p, void *end, void *obuf, size_t olen)
 
+			  void **p, void *end, void **obuf, size_t olen)
 
 {
 
 	struct ceph_x_encrypt_header head;
 
 	size_t head_len = sizeof(head);
 
@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret,
 
 		return -EINVAL;
 
 
 	dout("ceph_x_decrypt len %d\n", len);
 
-	ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen,
 
-			    *p, len);
 
+	if (*obuf == NULL) {
 
+		*obuf = kmalloc(len, GFP_NOFS);
 
+		if (!*obuf)
 
+			return -ENOMEM;
 
+		olen = len;
 
+	}
 
+
 
+	ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len);
 
 	if (ret)
 
 		return ret;
 
 	if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)
 
@@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac,
 
 	kfree(th);
 
 }
 
 
-static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
 
-				    struct ceph_crypto_key *secret,
 
-				    void *buf, void *end)
 
+static int process_one_ticket(struct ceph_auth_client *ac,
 
+			      struct ceph_crypto_key *secret,
 
+			      void **p, void *end)
 
 {
 
 	struct ceph_x_info *xi = ac->private;
 
-	int num;
 
-	void *p = buf;
 
+	int type;
 
+	u8 tkt_struct_v, blob_struct_v;
 
+	struct ceph_x_ticket_handler *th;
 
+	void *dbuf = NULL;
 
+	void *dp, *dend;
 
+	int dlen;
 
+	char is_enc;
 
+	struct timespec validity;
 
+	struct ceph_crypto_key old_key;
 
+	void *ticket_buf = NULL;
 
+	void *tp, *tpend;
 
+	struct ceph_timespec new_validity;
 
+	struct ceph_crypto_key new_session_key;
 
+	struct ceph_buffer *new_ticket_blob;
 
+	unsigned long new_expires, new_renew_after;
 
+	u64 new_secret_id;
 
 	int ret;
 
-	char *dbuf;
 
-	char *ticket_buf;
 
-	u8 reply_struct_v;
 
 
-	dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
 
-	if (!dbuf)
 
-		return -ENOMEM;
 
+	ceph_decode_need(p, end, sizeof(u32) + 1, bad);
 
 
-	ret = -ENOMEM;
 
-	ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
 
-	if (!ticket_buf)
 
-		goto out_dbuf;
 
+	type = ceph_decode_32(p);
 
+	dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
 
 
-	ceph_decode_need(&p, end, 1 + sizeof(u32), bad);
 
-	reply_struct_v = ceph_decode_8(&p);
 
-	if (reply_struct_v != 1)
 
+	tkt_struct_v = ceph_decode_8(p);
 
+	if (tkt_struct_v != 1)
 
 		goto bad;
 
-	num = ceph_decode_32(&p);
 
-	dout("%d tickets\n", num);
 
-	while (num--) {
 
-		int type;
 
-		u8 tkt_struct_v, blob_struct_v;
 
-		struct ceph_x_ticket_handler *th;
 
-		void *dp, *dend;
 
-		int dlen;
 
-		char is_enc;
 
-		struct timespec validity;
 
-		struct ceph_crypto_key old_key;
 
-		void *tp, *tpend;
 
-		struct ceph_timespec new_validity;
 
-		struct ceph_crypto_key new_session_key;
 
-		struct ceph_buffer *new_ticket_blob;
 
-		unsigned long new_expires, new_renew_after;
 
-		u64 new_secret_id;
 
-
 
-		ceph_decode_need(&p, end, sizeof(u32) + 1, bad);
 
-
 
-		type = ceph_decode_32(&p);
 
-		dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
 
-
 
-		tkt_struct_v = ceph_decode_8(&p);
 
-		if (tkt_struct_v != 1)
 
-			goto bad;
 
-
 
-		th = get_ticket_handler(ac, type);
 
-		if (IS_ERR(th)) {
 
-			ret = PTR_ERR(th);
 
-			goto out;
 
-		}
 
 
-		/* blob for me */
 
-		dlen = ceph_x_decrypt(secret, &p, end, dbuf,
 
-				      TEMP_TICKET_BUF_LEN);
 
-		if (dlen <= 0) {
 
-			ret = dlen;
 
-			goto out;
 
-		}
 
-		dout(" decrypted %d bytes\n", dlen);
 
-		dend = dbuf + dlen;
 
-		dp = dbuf;
 
+	th = get_ticket_handler(ac, type);
 
+	if (IS_ERR(th)) {
 
+		ret = PTR_ERR(th);
 
+		goto out;
 
+	}
 
 
-		tkt_struct_v = ceph_decode_8(&dp);
 
-		if (tkt_struct_v != 1)
 
-			goto bad;
 
+	/* blob for me */
 
+	dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0);
 
+	if (dlen <= 0) {
 
+		ret = dlen;
 
+		goto out;
 
+	}
 
+	dout(" decrypted %d bytes\n", dlen);
 
+	dp = dbuf;
 
+	dend = dp + dlen;
 
 
-		memcpy(&old_key, &th->session_key, sizeof(old_key));
 
-		ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
 
-		if (ret)
 
-			goto out;
 
+	tkt_struct_v = ceph_decode_8(&dp);
 
+	if (tkt_struct_v != 1)
 
+		goto bad;
 
 
-		ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
 
-		ceph_decode_timespec(&validity, &new_validity);
 
-		new_expires = get_seconds() + validity.tv_sec;
 
-		new_renew_after = new_expires - (validity.tv_sec / 4);
 
-		dout(" expires=%lu renew_after=%lu\n", new_expires,
 
-		     new_renew_after);
 
+	memcpy(&old_key, &th->session_key, sizeof(old_key));
 
+	ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
 
+	if (ret)
 
+		goto out;
 
 
-		/* ticket blob for service */
 
-		ceph_decode_8_safe(&p, end, is_enc, bad);
 
-		tp = ticket_buf;
 
-		if (is_enc) {
 
-			/* encrypted */
 
-			dout(" encrypted ticket\n");
 
-			dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf,
 
-					      TEMP_TICKET_BUF_LEN);
 
-			if (dlen < 0) {
 
-				ret = dlen;
 
-				goto out;
 
-			}
 
-			dlen = ceph_decode_32(&tp);
 
-		} else {
 
-			/* unencrypted */
 
-			ceph_decode_32_safe(&p, end, dlen, bad);
 
-			ceph_decode_need(&p, end, dlen, bad);
 
-			ceph_decode_copy(&p, ticket_buf, dlen);
 
+	ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
 
+	ceph_decode_timespec(&validity, &new_validity);
 
+	new_expires = get_seconds() + validity.tv_sec;
 
+	new_renew_after = new_expires - (validity.tv_sec / 4);
 
+	dout(" expires=%lu renew_after=%lu\n", new_expires,
 
+	     new_renew_after);
 
+
 
+	/* ticket blob for service */
 
+	ceph_decode_8_safe(p, end, is_enc, bad);
 
+	if (is_enc) {
 
+		/* encrypted */
 
+		dout(" encrypted ticket\n");
 
+		dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0);
 
+		if (dlen < 0) {
 
+			ret = dlen;
 
+			goto out;
 
 		}
 
-		tpend = tp + dlen;
 
-		dout(" ticket blob is %d bytes\n", dlen);
 
-		ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
 
-		blob_struct_v = ceph_decode_8(&tp);
 
-		new_secret_id = ceph_decode_64(&tp);
 
-		ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
 
-		if (ret)
 
+		tp = ticket_buf;
 
+		dlen = ceph_decode_32(&tp);
 
+	} else {
 
+		/* unencrypted */
 
+		ceph_decode_32_safe(p, end, dlen, bad);
 
+		ticket_buf = kmalloc(dlen, GFP_NOFS);
 
+		if (!ticket_buf) {
 
+			ret = -ENOMEM;
 
 			goto out;
 
-
 
-		/* all is well, update our ticket */
 
-		ceph_crypto_key_destroy(&th->session_key);
 
-		if (th->ticket_blob)
 
-			ceph_buffer_put(th->ticket_blob);
 
-		th->session_key = new_session_key;
 
-		th->ticket_blob = new_ticket_blob;
 
-		th->validity = new_validity;
 
-		th->secret_id = new_secret_id;
 
-		th->expires = new_expires;
 
-		th->renew_after = new_renew_after;
 
-		dout(" got ticket service %d (%s) secret_id %lld len %d\n",
 
-		     type, ceph_entity_type_name(type), th->secret_id,
 
-		     (int)th->ticket_blob->vec.iov_len);
 
-		xi->have_keys |= th->service;
 
+		}
 
+		tp = ticket_buf;
 
+		ceph_decode_need(p, end, dlen, bad);
 
+		ceph_decode_copy(p, ticket_buf, dlen);
 
 	}
 
+	tpend = tp + dlen;
 
+	dout(" ticket blob is %d bytes\n", dlen);
 
+	ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
 
+	blob_struct_v = ceph_decode_8(&tp);
 
+	new_secret_id = ceph_decode_64(&tp);
 
+	ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
 
+	if (ret)
 
+		goto out;
 
+
 
+	/* all is well, update our ticket */
 
+	ceph_crypto_key_destroy(&th->session_key);
 
+	if (th->ticket_blob)
 
+		ceph_buffer_put(th->ticket_blob);
 
+	th->session_key = new_session_key;
 
+	th->ticket_blob = new_ticket_blob;
 
+	th->validity = new_validity;
 
+	th->secret_id = new_secret_id;
 
+	th->expires = new_expires;
 
+	th->renew_after = new_renew_after;
 
+	dout(" got ticket service %d (%s) secret_id %lld len %d\n",
 
+	     type, ceph_entity_type_name(type), th->secret_id,
 
+	     (int)th->ticket_blob->vec.iov_len);
 
+	xi->have_keys |= th->service;
 
 
-	ret = 0;
 
 out:
 
 	kfree(ticket_buf);
 
-out_dbuf:
 
 	kfree(dbuf);
 
 	return ret;
 
 
@@ -270,6 +255,34 @@ bad:
 
 	goto out;
 
 }
 
 
+static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
 
+				    struct ceph_crypto_key *secret,
 
+				    void *buf, void *end)
 
+{
 
+	void *p = buf;
 
+	u8 reply_struct_v;
 
+	u32 num;
 
+	int ret;
 
+
 
+	ceph_decode_8_safe(&p, end, reply_struct_v, bad);
 
+	if (reply_struct_v != 1)
 
+		return -EINVAL;
 
+
 
+	ceph_decode_32_safe(&p, end, num, bad);
 
+	dout("%d tickets\n", num);
 
+
 
+	while (num--) {
 
+		ret = process_one_ticket(ac, secret, &p, end);
 
+		if (ret)
 
+			return ret;
 
+	}
 
+
 
+	return 0;
 
+
 
+bad:
 
+	return -EINVAL;
 
+}
 
+
 
 static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
 
 				   struct ceph_x_ticket_handler *th,
 
 				   struct ceph_x_authorizer *au)
 
@@ -583,13 +596,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
 
 	struct ceph_x_ticket_handler *th;
 
 	int ret = 0;
 
 	struct ceph_x_authorize_reply reply;
 
+	void *preply = &reply;
 
 	void *p = au->reply_buf;
 
 	void *end = p + sizeof(au->reply_buf);
 
 
 	th = get_ticket_handler(ac, au->service);
 
 	if (IS_ERR(th))
 
 		return PTR_ERR(th);
 
-	ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply));
 
+	ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply));
 
 	if (ret < 0)
 
 		return ret;
 
 	if (ret != sizeof(reply))

+ 8 - 0
net/ceph/mon_client.c
View File 

@@ -1181,7 +1181,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con,
 
 	if (!m) {
 
 		pr_info("alloc_msg unknown type %d\n", type);
 
 		*skip = 1;
 
+	} else if (front_len > m->front_alloc_len) {
 
+		pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n",
 
+			   front_len, m->front_alloc_len,
 
+			   (unsigned int)con->peer_name.type,
 
+			   le64_to_cpu(con->peer_name.num));
 
+		ceph_msg_put(m);
 
+		m = ceph_msg_new(type, front_len, GFP_NOFS, false);
 
 	}
 
+
 
 	return m;
 
 }