PATCH drivers/block/loop.c, 2.2.12, exposes encryption keys

Bear Giles (bear@coyotesong.com)
Sat, 4 Sep 1999 05:14:58 -0600 (MDT)

I found an inconsistency between include/linux/loop.h and
drivers/block/loop.c in 2.2.12. The former asserts that the encryption
key is "write-only" via IOCTL calls, the latter cheerfully copies a cached
encryption key into user space. The former semantics make a lot more sense,
from a security perspective.

This patch refuses to copy anything in the cache into user space. It
also identifies the "lo_init" field as write-only, and clears sensitive
information from an auto-variable. Individual transfer functions should
not be affected.

The tarball also contains a test program which shows that the 'secret'
DES password can read by root in the unpatched module, although to use
it you either need a DES loopback transfer function (how I discovered
this problem) or to modify this program to do a LOOP_SET_STATUS call first.

Bear Giles
bgiles@coyotesong.com

begin 644 loop.tar.gz
M'XL("+O\T#<``VQO;W`N=&%R`.U8;5,;1Q+V5^VOZ,AU1@*](X2!PX$0.4<=
MB5T1N:J<XU*M=F>E.58SFYE9L)+BO]_3LRL$6,3^XN2N2EV%A&9G>OIMGGYF
M6^T?AZ???C]\]@6EV^D,^GUZ1M3;[PSN?WOI[NUUB0;[@WYW?]#KX_]NI]??
M?4:=+VG44G+K0D/T;")"\T?S/O7\_U3.*=&YBBE4)%6DE976"14M:"+<C1!^
M-,UCT4ZERC^T4ZVSU@RS8PIB(Z^%L>U)JJ.KXDF$Z=1K]5K=7HOH<B:@W<R%
MH=!:89PE-PL=/@1A#[/(G-2*@BNQ(&FI>F.D$TVMTD65KF5(YV_.+B\H"M/4
M-ORB-'0.RJ*9$";)TW1!D<ZDL!1B%D9AU#V]7JURFG+L338+(_'0*"OFH7(R
MLC0/KP24I-K17!N!)\J*1I`8/<>P%5$.TQ:4P=U,1`Y^MX+@<@:CL]!%,S(B
MP29P3[-%"\1GX69233D<;+BW;HTQYXZ",+6:9"Q@2<*^\/QJJL=225<E#*7(
MCJ55<!H^_%&*@K3>4LD&42`5^Q5ZWPO+%86YT\WKT,APDOH-52RO99R'*3D3
M*IO`F"17$2^"LIG.L5N@$(<)`I(D<%;$WE=!."<3Y(*\P2@5%TK%H7?".LJ,
MGIIP3C<SB7A`T<V]9&\A@D:XK>#;X0@1L_9&&W@`^XP(8YHLR&AL608K5SZH
MR.9<QWDJX&_J8-ET1D7\`NEHH7,2$M,-*8&I(;%N+L))&%U][!S58!*=4RQM
MI%&V(@Z<SY_1B,R\3MJP=NPHDP4M'WF7,!QK;'#QYLW;\6AX.1Y=GE[^-/*%
MB?P8ZQ"@;Y`-^DZFP@:3*7^=1'JA$1JMIJU(SX._^J`_(:WBX/J(?ZD]/H'_
M_=U^;XG_>_O=`?"_NSOH;_#_SY!FLTD>VIL%;+?7X7UEA(,\$AER19W=P][@
M<&]`W8.#@V!G9Z=8_EGK^H?(M%]W<D+-_8/&/NWXSY.3@"J`QTH%P)>DX=0>
M5=K;)'7D4C)M3=MM3(AFH?$S5#@7[R[>C'\X_7XX'IW_>_C^"(]S(.%4`0O\
M/$PK>\$8C8!G_W/X<SF9[G3?%+J;J\4I#FREA-]W/2C>>?I9Y;&>I8U&`.6O
M1?RNSY;=XB_X*-#KVN?C@.T?=@\>!_HSUO7W#KLO5X'N]1H#VL%GM^<C3=MT
M]LT9U;B-&(&F"H6VSMCWH"\;\6LN#7>Q7,E?<T'G_[+<`BD.74A^^Q9Y;3\R
M`O^C16^%<VA/9I:=Q";$U)82SL\(=O`QY`85"0_RJ]Z[CA*4C&#5\U9\P&OR
MG*!LYFAQ,X"W3DB@RZY!?@7@CT6$%@N-,^%[!C#]2HC,*T.S7O((*%EGR:JQ
M8L^1,S)RF..=F:-OTUQ@3Z_+.X/>9![KN-%JRS=5(ZY%F")>^`:[2LCJN=!*
MT-2W4]\("[.B2%AV<M5:&K2VMS2HT^?L.Y_R%J_V01\YB0YUJ>FU_'#H1YIT
M&E]+J\V".'V>H5A"<8/TQ(3`B#*C31H57`#MEGF$OE%T=OIVS*%W8LH*8*WC
M[HV8\9/1SZ,Q+A+G/Y"ON;W=/A?=7K_3Z/:+\UV9BWF4+6JI;KYZ>#H;/L2M
MQX.\INP1:YZ/K?Q-U/G@5TJ-/`A#D=YC`F,S2$WS52[C(P04QYA/JV=-]TC3
M1YS)%16E:4F:P#PU+X81&>=.%<7ZT<(M:.:`;OE2Q8D!1L@PA8UQN?R!6LML
M!]0RGU@<,]9Z5Z]<W"U&$RQ[RF]XV&%HXIA:X6IKX]=IT#W8JQ_=5^@AK//^
M3L^#\6XY3I7;"CX2.<V-&#/4^,V101]W4+K<*)[H,[XW:'2[2/G^*N5+K1[2
MH;-,5('P>&Z=45P2RWD,[(WEK.+'?9CWNSYVU2TRL5)]?_0(N(X#MJ;@BAB^
M>(%89YR-VH,*KM?I=RS]H^`_H9)W7);YVI2LJ7U>4E;Y$UKKK/;6US!*&&PY
MTZF,%HTG4-/?XF*FN`^N5("%0ACV,2U73+[9>U8)$`0(-0I48A`J*_!3!5C4
M'WUV`3Y1?VO+;V=58WRK&CL]YMM3+333!KW@)0UB6W3BMT?:OJ;F\/7I3Q>7
M=.CK]Q:-]Z]F6/_;4O#_)M_A6M$7VN-3[W\&@(N2_^]V]GO,__M[&_[_I\CS
MDK?3WZV+I6[-7@6K(70QC#X<LPO;]IR7AX/V=G%73D*9@EWA0D[35$ZBYB2T
MS,3U/`-A,5_18;-&C"A8L-)U_Z[PBI\^CT4BP87\5?N[U56[\Z%_UMGE[0*0
MD\O[M_/RG44LYH`]D#\G5HR2-1=$%<^O921X]0V3HH*%E4R4WTT\QE&TZ@(2
M01FUI\(X(6C:N.N3-^*M$5EH/`$XY-]$SRD&L";';>S5_DT8#6ITW';SK.W?
MD$SL<?<*$<F5.^XN5Z0:Z)EGU!3^_85?RE9WZ&YAN1\Q=U7L]CQS(@92*WX7
M!F[VLLF7CC#BG\N7*Z65[4`R/06SI-JUEG$]^#VHO#Z_&-)VDAT%_K9"DSP!
M7W[7ZW1P60E\QZPE&2`XT1EVK%575E4;5#55`.TQ`)J[9*629+@B.*Q!I0AC
MP-HJE4HU`QL"<S2Y`C%ZRL>MXNU)\3Z+7ZSQJY?PSH>O?E%5](S*L@=TCRH!
MVF!A87'MJB6H+J7QG=4;CZNF47I6+PS%=<3@GE"K^J7K-9>A.!CLO.0>M/5+
M9\M?%O\#E."2`'^W82):+=\=*TO7JY[QW[W8N@GM(6W]S6[!`32J.Z7OZQS?
M).*`>)-APHI#W6XZU48VLI&-;&0C&]G(1C:RD8UL9",;^2+R7SEN[?,`*```
`
end

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/