| Message ID | 20180620190408.45104-2-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Herbert Xu |
| Headers | show |
On 06/20/2018 07:03 PM, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) > by using the maximum allowable size (which is now more clearly captured > in a macro). Similar limits are turned into macros as well. > > [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com > > Signed-off-by: Kees Cook <keescook@chromium.org> Got the following warnings: crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] crypto/hmac.c: In function ‘hmac_setkey’: crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than 1024 bytes [-Wframe-larger-than=] Christophe > --- > crypto/shash.c | 6 +++--- > include/crypto/hash.h | 6 +++++- > 2 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/crypto/shash.c b/crypto/shash.c > index 5d732c6bb4b2..ab6902c6dae7 100644 > --- a/crypto/shash.c > +++ b/crypto/shash.c > @@ -458,9 +458,9 @@ static int shash_prepare_alg(struct shash_alg *alg) > { > struct crypto_alg *base = &alg->base; > > - if (alg->digestsize > PAGE_SIZE / 8 || > - alg->descsize > PAGE_SIZE / 8 || > - alg->statesize > PAGE_SIZE / 8) > + if (alg->digestsize > SHASH_MAX_DIGESTSIZE || > + alg->descsize > SHASH_MAX_DESCSIZE || > + alg->statesize > SHASH_MAX_STATESIZE) > return -EINVAL; > > base->cra_type = &crypto_shash_type; > diff --git a/include/crypto/hash.h b/include/crypto/hash.h > index 76e432cab75d..308aad8bf523 100644 > --- a/include/crypto/hash.h > +++ b/include/crypto/hash.h > @@ -151,9 +151,13 @@ struct shash_desc { > void *__ctx[] CRYPTO_MINALIGN_ATTR; > }; > > +#define SHASH_MAX_DIGESTSIZE (PAGE_SIZE / 8) > +#define SHASH_MAX_DESCSIZE (PAGE_SIZE / 8) > +#define SHASH_MAX_STATESIZE (PAGE_SIZE / 8) > + > #define SHASH_DESC_ON_STACK(shash, ctx) \ > char __##shash##_desc[sizeof(struct shash_desc) + \ > - crypto_shash_descsize(ctx)] CRYPTO_MINALIGN_ATTR; \ > + SHASH_MAX_DESCSIZE] CRYPTO_MINALIGN_ATTR; \ > struct shash_desc *shash = (struct shash_desc *)__##shash##_desc > > /** >
On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy <christophe.leroy@c-s.fr> wrote: > > > On 06/20/2018 07:03 PM, Kees Cook wrote: >> >> In the quest to remove all stack VLA usage from the kernel[1], this >> removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) >> by using the maximum allowable size (which is now more clearly captured >> in a macro). Similar limits are turned into macros as well. >> >> [1] >> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com >> >> Signed-off-by: Kees Cook <keescook@chromium.org> > > > Got the following warnings: > > crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: > crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger > than 1024 bytes [-Wframe-larger-than=] > crypto/hmac.c: In function ‘hmac_setkey’: > crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than > 1024 bytes [-Wframe-larger-than=] Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers the frame size problems that were hidden by in being a VLA before. It was always possible for the frame to get this big, it's just that the compiler couldn't see it. For qat, I raised the -Wframe-larger-than flag. It seems we'll need to do this in some other places too. -Kees
Le 20/06/2018 à 22:36, Kees Cook a écrit : > On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy > <christophe.leroy@c-s.fr> wrote: >> >> >> On 06/20/2018 07:03 PM, Kees Cook wrote: >>> >>> In the quest to remove all stack VLA usage from the kernel[1], this >>> removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) >>> by using the maximum allowable size (which is now more clearly captured >>> in a macro). Similar limits are turned into macros as well. >>> >>> [1] >>> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com >>> >>> Signed-off-by: Kees Cook <keescook@chromium.org> >> >> >> Got the following warnings: >> >> crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: >> crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger >> than 1024 bytes [-Wframe-larger-than=] >> crypto/hmac.c: In function ‘hmac_setkey’: >> crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than >> 1024 bytes [-Wframe-larger-than=] > > Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers > the frame size problems that were hidden by in being a VLA before. It > was always possible for the frame to get this big, it's just that the > compiler couldn't see it. > > For qat, I raised the -Wframe-larger-than flag. It seems we'll need to > do this in some other places too. Maybe the issue is because I have selected 16k pages ? Christophe > > -Kees >
On Wed, Jun 20, 2018 at 1:39 PM, Christophe LEROY <christophe.leroy@c-s.fr> wrote: > > > Le 20/06/2018 à 22:36, Kees Cook a écrit : >> >> On Wed, Jun 20, 2018 at 12:30 PM, Christophe Leroy >> <christophe.leroy@c-s.fr> wrote: >>> >>> >>> >>> On 06/20/2018 07:03 PM, Kees Cook wrote: >>>> >>>> >>>> In the quest to remove all stack VLA usage from the kernel[1], this >>>> removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) >>>> by using the maximum allowable size (which is now more clearly captured >>>> in a macro). Similar limits are turned into macros as well. >>>> >>>> [1] >>>> >>>> https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com >>>> >>>> Signed-off-by: Kees Cook <keescook@chromium.org> >>> >>> >>> >>> Got the following warnings: >>> >>> crypto/testmgr.c: In function ‘alg_test_crc32c.part.4’: >>> crypto/testmgr.c:1896:1: warning: the frame size of 2088 bytes is larger >>> than 1024 bytes [-Wframe-larger-than=] >>> crypto/hmac.c: In function ‘hmac_setkey’: >>> crypto/hmac.c:88:1: warning: the frame size of 2088 bytes is larger than >>> 1024 bytes [-Wframe-larger-than=] >> >> >> Ah yes. I didn't do 32-bit builds. So, here's the issue: this uncovers >> the frame size problems that were hidden by in being a VLA before. It >> was always possible for the frame to get this big, it's just that the >> compiler couldn't see it. >> >> For qat, I raised the -Wframe-larger-than flag. It seems we'll need to >> do this in some other places too. > > > Maybe the issue is because I have selected 16k pages ? That would do it! And that's exactly the problem Arnd mentioned. For v2, I will switch all the PAGE_SIZE-related limits to an explicit 512. (And I'll do some 32-bit builds too to see if any other cases pop up that I need to mask out.) -Kees
diff --git a/crypto/shash.c b/crypto/shash.c index 5d732c6bb4b2..ab6902c6dae7 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -458,9 +458,9 @@ static int shash_prepare_alg(struct shash_alg *alg) { struct crypto_alg *base = &alg->base; - if (alg->digestsize > PAGE_SIZE / 8 || - alg->descsize > PAGE_SIZE / 8 || - alg->statesize > PAGE_SIZE / 8) + if (alg->digestsize > SHASH_MAX_DIGESTSIZE || + alg->descsize > SHASH_MAX_DESCSIZE || + alg->statesize > SHASH_MAX_STATESIZE) return -EINVAL; base->cra_type = &crypto_shash_type; diff --git a/include/crypto/hash.h b/include/crypto/hash.h index 76e432cab75d..308aad8bf523 100644 --- a/include/crypto/hash.h +++ b/include/crypto/hash.h @@ -151,9 +151,13 @@ struct shash_desc { void *__ctx[] CRYPTO_MINALIGN_ATTR; }; +#define SHASH_MAX_DIGESTSIZE (PAGE_SIZE / 8) +#define SHASH_MAX_DESCSIZE (PAGE_SIZE / 8) +#define SHASH_MAX_STATESIZE (PAGE_SIZE / 8) + #define SHASH_DESC_ON_STACK(shash, ctx) \ char __##shash##_desc[sizeof(struct shash_desc) + \ - crypto_shash_descsize(ctx)] CRYPTO_MINALIGN_ATTR; \ + SHASH_MAX_DESCSIZE] CRYPTO_MINALIGN_ATTR; \ struct shash_desc *shash = (struct shash_desc *)__##shash##_desc /**
In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro). Similar limits are turned into macros as well. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Kees Cook <keescook@chromium.org> --- crypto/shash.c | 6 +++--- include/crypto/hash.h | 6 +++++- 2 files changed, 8 insertions(+), 4 deletions(-)