From patchwork Thu Mar 15 22:59:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10285903 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8EEEF602C2 for ; Thu, 15 Mar 2018 22:59:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7FC2F28ABE for ; Thu, 15 Mar 2018 22:59:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7466428C90; Thu, 15 Mar 2018 22:59:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 9BE9928ABE for ; Thu, 15 Mar 2018 22:59:37 +0000 (UTC) Received: (qmail 24504 invoked by uid 550); 15 Mar 2018 22:59:35 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 24464 invoked from network); 15 Mar 2018 22:59:34 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=GWWUPtSQNK2IDvhhm0q5KbKvb1DOvcvuPcWGgtDSL3g=; b=bMFOl67BM5dayPksQm5dkihp0P3cFdQDq8EQb/BS6LScir8fnRQ7hXe+S87U2N3m8Z jY//9zkPf1VLu9dp3GuCdFL72gqkoAhD7zgeHDQgsLSejlFrMoWp0NthW3CXb+cJTOR8 F5P8WdZwIpag2PehudyvRXQDXlpf++fdm5390= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=GWWUPtSQNK2IDvhhm0q5KbKvb1DOvcvuPcWGgtDSL3g=; b=m44JrKIFl2VsfwahFHvwurrtGdtSGsIOXz6MGnvvKSBZ6u140WU9Yk+epURko8+C4I 6C6Ryv5qCpMuCqsZGEHnM1NbSY0Fs37Srx1jGVkcxy1Ry07hTgAJA3rH9iEfGbSugRPg 5DnQEnNL89AIF830hbnG4RiBxJa8OXA56+ed6QIvDNUbpu3E1dltJyLrxUpOGoqyXU6a 0PEgnk2eOP0KWQ6Tom6TzKJT4Fp6IgNveFsThR+KzRwsJHPc6PNvyHKfqrCcQwTipVEf VY0YJJOGseRemJD5SWQzox2OqtJMSiS4zAkN0tUB1xW3NfuECLgWB3wzf4Cc+ZowpUXb YK7Q== X-Gm-Message-State: AElRT7Ewx40aPbDW5XfEbCQKisd6PdEtaTcvE9lpz7IHFGRaBtUwAANL q/6S0+EMBoKJiZL1uWHQV2ywVA== X-Google-Smtp-Source: AG47ELs2UOm0b3OWMGBjvBkNxcT138Ss10kSL8NCCNLdjFF8vrRBQOZtAE5xwaxWviChihgyl/7nGA== X-Received: by 10.101.65.11 with SMTP id w11mr1397274pgp.186.1521154762128; Thu, 15 Mar 2018 15:59:22 -0700 (PDT) Date: Thu, 15 Mar 2018 15:59:19 -0700 From: Kees Cook To: Andrew Morton Cc: linux-kernel@vger.kernel.org, Segher Boessenkool , Thomas Gleixner , kernel-hardening@lists.openwall.com Subject: [PATCH v2] rslib: Remove VLAs by setting upper bound on nroots Message-ID: <20180315225919.GA43806@beast> MIME-Version: 1.0 Content-Disposition: inline X-Virus-Scanned: ClamAV using ClamSMTP Avoid stack VLAs[1] by always allocating the upper bound of stack space needed. The existing users of rslib appear to max out at 24 roots[2], so use that as the upper bound until we have a reason to change it. Alternative considered: make init_rs() a true caller-instance and pre-allocate the workspaces. This would possibly need locking and a refactoring of the returned structure. Using kmalloc in this path doesn't look great, especially since at least one caller (pstore) is sensitive to allocations during rslib usage (it expects to run it during an Oops, for example). [1] https://lkml.org/lkml/2018/3/7/621 [2] https://lkml.org/lkml/2018/3/9/838 Signed-off-by: Kees Cook Reviewed-by: Thomas Gleixner --- v2: Resending to akpm, since this is in lib without an obvious owner. Added tglx's Reviewed-by. --- lib/reed_solomon/decode_rs.c | 7 ++++--- lib/reed_solomon/reed_solomon.c | 5 ++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c index 0ec3f257ffdf..3e3becb836a6 100644 --- a/lib/reed_solomon/decode_rs.c +++ b/lib/reed_solomon/decode_rs.c @@ -31,9 +31,10 @@ * of nroots is 8. So the necessary stack size will be about * 220 bytes max. */ - uint16_t lambda[nroots + 1], syn[nroots]; - uint16_t b[nroots + 1], t[nroots + 1], omega[nroots + 1]; - uint16_t root[nroots], reg[nroots + 1], loc[nroots]; + uint16_t lambda[RS_MAX_ROOTS + 1], syn[RS_MAX_ROOTS]; + uint16_t b[RS_MAX_ROOTS + 1], t[RS_MAX_ROOTS + 1]; + uint16_t omega[RS_MAX_ROOTS + 1], root[RS_MAX_ROOTS]; + uint16_t reg[RS_MAX_ROOTS + 1], loc[RS_MAX_ROOTS]; int count = 0; uint16_t msk = (uint16_t) rs->nn; diff --git a/lib/reed_solomon/reed_solomon.c b/lib/reed_solomon/reed_solomon.c index 06d04cfa9339..3e218e70ac2e 100644 --- a/lib/reed_solomon/reed_solomon.c +++ b/lib/reed_solomon/reed_solomon.c @@ -51,6 +51,9 @@ static LIST_HEAD (rslist); /* Protection for the list */ static DEFINE_MUTEX(rslistlock); +/* Ultimately controls the upper bounds of the on-stack buffers. */ +#define RS_MAX_ROOTS 24 + /** * rs_init - Initialize a Reed-Solomon codec * @symsize: symbol size, bits (1-8) @@ -210,7 +213,7 @@ static struct rs_control *init_rs_internal(int symsize, int gfpoly, return NULL; if (prim <= 0 || prim >= (1<= (1<= (1< RS_MAX_ROOTS) return NULL; mutex_lock(&rslistlock);