Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
Le 20/06/2018 à 22:36, Kees Cook a écrit : On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy wrote: On 06/20/2018 07:03 PM, Kees Cook wrote: In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook Got the following warnings: crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] crypto/hmac.c: In function ‘hmac_setkey’: crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers the frame size problems that were hidden by in being a VLA before. It was always possible for the frame to get this big, it's just that the compiler couldn't see it. For qat, I raised the -Wframe-larger-than flag. It seems we'll need to do this in some other places too. Maybe the issue is because I have selected 16k pages ? Christophe -Kees -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On 06/20/2018 07:03 PM, Kees Cook wrote:
In the quest to remove all stack VLA usage from the kernel[1], this
removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize())
by using the maximum allowable size (which is now more clearly captured
in a macro). Similar limits are turned into macros as well.
[1]
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Signed-off-by: Kees Cook
Got the following warnings:
crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’:
crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger
than 1024 bytes [-Wframe-larger-than=]
crypto/hmac.c: In function ‘hmac_setkey’:
crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than
1024 bytes [-Wframe-larger-than=]
Christophe
---
crypto/shash.c| 6 +++---
include/crypto/hash.h | 6 +-
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/crypto/shash.c b/crypto/shash.c
index 5d732c6bb4b2..ab6902c6dae7 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -458,9 +458,9 @@ static int shash_prepare_alg(struct shash_alg *alg)
{
struct crypto_alg *base = >base;
- if (alg->digestsize > PAGE_SIZE / 8 ||
- alg->descsize > PAGE_SIZE / 8 ||
- alg->statesize > PAGE_SIZE / 8)
+ if (alg->digestsize > SHASH_MAX_DIGESTSIZE ||
+ alg->descsize > SHASH_MAX_DESCSIZE ||
+ alg->statesize > SHASH_MAX_STATESIZE)
return -EINVAL;
base->cra_type = _shash_type;
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 76e432cab75d..308aad8bf523 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -151,9 +151,13 @@ struct shash_desc {
void *__ctx[] CRYPTO_MINALIGN_ATTR;
};
+#define SHASH_MAX_DIGESTSIZE(PAGE_SIZE / 8)
+#define SHASH_MAX_DESCSIZE (PAGE_SIZE / 8)
+#define SHASH_MAX_STATESIZE (PAGE_SIZE / 8)
+
#define SHASH_DESC_ON_STACK(shash, ctx) \
char __##shash##_desc[sizeof(struct shash_desc) + \
- crypto_shash_descsize(ctx)] CRYPTO_MINALIGN_ATTR; \
+ SHASH_MAX_DESCSIZE] CRYPTO_MINALIGN_ATTR; \
struct shash_desc *shash = (struct shash_desc *)__##shash##_desc
/**
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On Wed, Jun 20, 2018 at 1:39 PM, Christophe LEROY wrote: > > > Le 20/06/2018 à 22:36, Kees Cook a écrit : >> >> On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy >> wrote: >>> >>> >>> >>> On 06/20/2018 07:03 PM, Kees Cook wrote: In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook >>> >>> >>> >>> Got the following warnings: >>> >>> crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: >>> crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger >>> than 1024 bytes [-Wframe-larger-than=] >>> crypto/hmac.c: In function ‘hmac_setkey’: >>> crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than >>> 1024 bytes [-Wframe-larger-than=] >> >> >> Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers >> the frame size problems that were hidden by in being a VLA before. It >> was always possible for the frame to get this big, it's just that the >> compiler couldn't see it. >> >> For qat, I raised the -Wframe-larger-than flag. It seems we'll need to >> do this in some other places too. > > > Maybe the issue is because I have selected 16k pages ? That would do it! And that's exactly the problem Arnd mentioned. For v2, I will switch all the PAGE_SIZE-related limits to an explicit 512. (And I'll do some 32-bit builds too to see if any other cases pop up that I need to mask out.) -Kees -- Kees Cook Pixel Security -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] [PATCH 01/11] crypto: shash: Remove VLA usage
On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy wrote: > > > On 06/20/2018 07:03 PM, Kees Cook wrote: >> >> In the quest to remove all stack VLA usage from the kernel[1], this >> removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) >> by using the maximum allowable size (which is now more clearly captured >> in a macro). Similar limits are turned into macros as well. >> >> [1] >> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com >> >> Signed-off-by: Kees Cook > > > Got the following warnings: > > crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: > crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger > than 1024 bytes [-Wframe-larger-than=] > crypto/hmac.c: In function ‘hmac_setkey’: > crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than > 1024 bytes [-Wframe-larger-than=] Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers the frame size problems that were hidden by in being a VLA before. It was always possible for the frame to get this big, it's just that the compiler couldn't see it. For qat, I raised the -Wframe-larger-than flag. It seems we'll need to do this in some other places too. -Kees -- Kees Cook Pixel Security -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
