Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
Le 20/06/2018 à 22:36, Kees Cook a écrit : On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy wrote: On 06/20/2018 07:03 PM, Kees Cook wrote: In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook Got the following warnings: crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] crypto/hmac.c: In function ‘hmac_setkey’: crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers the frame size problems that were hidden by in being a VLA before. It was always possible for the frame to get this big, it's just that the compiler couldn't see it. For qat, I raised the -Wframe-larger-than flag. It seems we'll need to do this in some other places too. Maybe the issue is because I have selected 16k pages ? Christophe -Kees -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On 06/20/2018 07:03 PM, Kees Cook wrote: In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook Got the following warnings: crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] crypto/hmac.c: In function ‘hmac_setkey’: crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] Christophe --- crypto/shash.c| 6 +++--- include/crypto/hash.h | 6 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/crypto/shash.c b/crypto/shash.c index 5d732c6bb4b2..ab6902c6dae7 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -458,9 +458,9 @@ static int shash_prepare_alg(struct shash_alg *alg) { struct crypto_alg *base = >base; - if (alg->digestsize > PAGE_SIZE / 8 || - alg->descsize > PAGE_SIZE / 8 || - alg->statesize > PAGE_SIZE / 8) + if (alg->digestsize > SHASH_MAX_DIGESTSIZE || + alg->descsize > SHASH_MAX_DESCSIZE || + alg->statesize > SHASH_MAX_STATESIZE) return -EINVAL; base->cra_type = _shash_type; diff --git a/include/crypto/hash.h b/include/crypto/hash.h index 76e432cab75d..308aad8bf523 100644 --- a/include/crypto/hash.h +++ b/include/crypto/hash.h @@ -151,9 +151,13 @@ struct shash_desc { void *__ctx[] CRYPTO_MINALIGN_ATTR; }; +#define SHASH_MAX_DIGESTSIZE(PAGE_SIZE / 8) +#define SHASH_MAX_DESCSIZE (PAGE_SIZE / 8) +#define SHASH_MAX_STATESIZE (PAGE_SIZE / 8) + #define SHASH_DESC_ON_STACK(shash, ctx) \ char __##shash##_desc[sizeof(struct shash_desc) + \ - crypto_shash_descsize(ctx)] CRYPTO_MINALIGN_ATTR; \ + SHASH_MAX_DESCSIZE] CRYPTO_MINALIGN_ATTR; \ struct shash_desc *shash = (struct shash_desc *)__##shash##_desc /** -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On Wed, Jun 20, 2018 at 1:39 PM, Christophe LEROY wrote: > > > Le 20/06/2018 à 22:36, Kees Cook a écrit : >> >> On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy >> wrote: >>> >>> >>> >>> On 06/20/2018 07:03 PM, Kees Cook wrote: In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook >>> >>> >>> >>> Got the following warnings: >>> >>> crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: >>> crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger >>> than 1024 bytes [-Wframe-larger-than=] >>> crypto/hmac.c: In function ‘hmac_setkey’: >>> crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than >>> 1024 bytes [-Wframe-larger-than=] >> >> >> Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers >> the frame size problems that were hidden by in being a VLA before. It >> was always possible for the frame to get this big, it's just that the >> compiler couldn't see it. >> >> For qat, I raised the -Wframe-larger-than flag. It seems we'll need to >> do this in some other places too. > > > Maybe the issue is because I have selected 16k pages ? That would do it! And that's exactly the problem Arnd mentioned. For v2, I will switch all the PAGE_SIZE-related limits to an explicit 512. (And I'll do some 32-bit builds too to see if any other cases pop up that I need to mask out.) -Kees -- Kees Cook Pixel Security -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy wrote: > > > On 06/20/2018 07:03 PM, Kees Cook wrote: >> >> In the quest to remove all stack VLA usage from the kernel[1], this >> removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) >> by using the maximum allowable size (which is now more clearly captured >> in a macro). Similar limits are turned into macros as well. >> >> [1] >> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com >> >> Signed-off-by: Kees Cook > > > Got the following warnings: > > crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: > crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger > than 1024 bytes [-Wframe-larger-than=] > crypto/hmac.c: In function ‘hmac_setkey’: > crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than > 1024 bytes [-Wframe-larger-than=] Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers the frame size problems that were hidden by in being a VLA before. It was always possible for the frame to get this big, it's just that the compiler couldn't see it. For qat, I raised the -Wframe-larger-than flag. It seems we'll need to do this in some other places too. -Kees -- Kees Cook Pixel Security -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel