Commit d4eaa283 authored by Waiman Long's avatar Waiman Long Committed by Linus Torvalds
Browse files

mm: add kvfree_sensitive() for freeing sensitive data objects 



For kvmalloc'ed data object that contains sensitive information like
cryptographic keys, we need to make sure that the buffer is always cleared
before freeing it.  Using memset() alone for buffer clearing may not
provide certainty as the compiler may compile it away.  To be sure, the
special memzero_explicit() has to be used.

This patch introduces a new kvfree_sensitive() for freeing those sensitive
data objects allocated by kvmalloc().  The relevant places where
kvfree_sensitive() can be used are modified to use it.

Fixes: 4f088249 ("KEYS: Avoid false positive ENOMEM error on key read")
Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarWaiman Long <longman@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
Acked-by: default avatarDavid Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Joe Perches <joe@perches.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Uladzislau Rezki <urezki@gmail.com>
Link: http://lkml.kernel.org/r/20200407200318.11711-1-longman@redhat.com


Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 090e77e1

include/linux/mm.h

+1 −0
Original line number Diff line number Diff line
@@ -776,6 +776,7 @@ static inline void *kvcalloc(size_t n, size_t size, gfp_t flags) 
}



extern void kvfree(const void *addr);

extern void kvfree_sensitive(const void *addr, size_t len);



/*

 * Mapcount of compound page as a whole, does not include mapped sub-pages.

mm/util.c

+18 −0
Original line number Diff line number Diff line
@@ -604,6 +604,24 @@ void kvfree(const void *addr) 
}

EXPORT_SYMBOL(kvfree);



/**

 * kvfree_sensitive - Free a data object containing sensitive information.

 * @addr: address of the data object to be freed.

 * @len: length of the data object.

 *

 * Use the special memzero_explicit() function to clear the content of a

 * kvmalloc'ed object containing sensitive data to make sure that the

 * compiler won't optimize out the data clearing.

 */

void kvfree_sensitive(const void *addr, size_t len)

{

	if (likely(!ZERO_OR_NULL_PTR(addr))) {

		memzero_explicit((void *)addr, len);

		kvfree(addr);

	}

}

EXPORT_SYMBOL(kvfree_sensitive);



static inline void *__page_rmapping(struct page *page)

{

	unsigned long mapping;

security/keys/internal.h

+0 −11
Original line number Diff line number Diff line
@@ -350,15 +350,4 @@ static inline void key_check(const struct key *key) 
#define key_check(key) do {} while(0)



#endif



/*

 * Helper function to clear and free a kvmalloc'ed memory object.

 */

static inline void __kvzfree(const void *addr, size_t len)

{

	if (addr) {

		memset((void *)addr, 0, len);

		kvfree(addr);

	}

}

#endif /* _INTERNAL_H */

security/keys/keyctl.c

+5 −11
Original line number Diff line number Diff line
@@ -142,10 +142,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, 


	key_ref_put(keyring_ref);

 error3:

	if (payload) {

		memzero_explicit(payload, plen);

		kvfree(payload);

	}

	kvfree_sensitive(payload, plen);

 error2:

	kfree(description);

 error:
@@ -360,7 +357,7 @@ long keyctl_update_key(key_serial_t id, 


	key_ref_put(key_ref);

error2:

	__kvzfree(payload, plen);

	kvfree_sensitive(payload, plen);

error:

	return ret;

}
@@ -914,7 +911,7 @@ can_read_key: 
		 */

		if (ret > key_data_len) {

			if (unlikely(key_data))

				__kvzfree(key_data, key_data_len);

				kvfree_sensitive(key_data, key_data_len);

			key_data_len = ret;

			continue;	/* Allocate buffer */

		}
@@ -923,7 +920,7 @@ can_read_key: 
			ret = -EFAULT;

		break;

	}

	__kvzfree(key_data, key_data_len);

	kvfree_sensitive(key_data, key_data_len);



key_put_out:

	key_put(key);
@@ -1225,10 +1222,7 @@ long keyctl_instantiate_key_common(key_serial_t id, 
		keyctl_change_reqkey_auth(NULL);



error2:

	if (payload) {

		memzero_explicit(payload, plen);

		kvfree(payload);

	}

	kvfree_sensitive(payload, plen);

error:

	return ret;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE