Received: by 10.213.65.68 with SMTP id h4csp942184imn;
        Tue, 20 Mar 2018 21:06:30 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtBGdM8aPGMwB7x9Xf0tc6b39g06bQ/1i87r5Ax7HxXBvF1hnjMVmrUewg87Zvn0j0HLKYI
X-Received: by 2002:a17:902:9009:: with SMTP id a9-v6mr18706338plp.272.1521605190203;
        Tue, 20 Mar 2018 21:06:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521605190; cv=none;
        d=google.com; s=arc-20160816;
        b=mUmq+5+OiB1mtB8RnZ9c+HEYkAsYEHxDHm1Lja69cT7iNDKLVU0MppF28toC+Q0mzE
         8l630gdrvhl9vIaIC54QhqwRmDbFCyjCZx/FljZDW/+tx94ZidSy6W+OgHWGW0l4fWJb
         WSmF+o5QjbiMKn61G5AXFrKuampFgze/hHXcO3zje4Q5ssX4+8oi9hi0okYLlCgaWun+
         goOhO6qQTjynyZP20V9QL65VhDTDz26s6/RisW0vvDEtdthwZm81rQ3jNsQtXyTxFCJj
         BU0WcNrCPoiDG4LGF+GrGnapFxK79gZQDDIk7WjLF+9d5QqTEh5axZ+Uv+dO5yzihpIy
         BtDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=212K1GA4IIKbnBTt3r6PDb7WhFM4f8RN/+lmfj97vxU=;
        b=Q8n8/mfccyzPrABy8BWNdLzcr8QoYuTK5ec1IRsXr2MsjepS8nFqkM/pv853qbaUni
         0GfR0Z/VjIDXv6MtBgzSfR3ImB3r8Aw71U+cpC5FtOr9g3aAZ2W6MOoNtQibikH7DXuM
         meb820rO7//6GFg8uB9HlXnleUYuU62vh1ZzxUpj2FL5R56Gswpxik70pJ4dRkZHol2N
         HD43F9f/bTm38Ngmxc3vMSkErYHZ24YaIYsosbrnUYlJK5G2nAuRjQSezlh++oNPhPTI
         jeXYrA3x6QRIlez6MDkFbYtvR1t5gKmzWDEesJ84t5zUQ6m5J+OLyHFJdN3JzB7XXoGb
         C8qg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=AyteNvwb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g23-v6si2933676plo.697.2018.03.20.21.06.16;
        Tue, 20 Mar 2018 21:06:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=AyteNvwb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751309AbeCUEFW (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Wed, 21 Mar 2018 00:05:22 -0400
Received: from mail-pl0-f66.google.com ([209.85.160.66]:40479 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750760AbeCUEFU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Mar 2018 00:05:20 -0400
Received: by mail-pl0-f66.google.com with SMTP id x4-v6so2405046pln.7
        for <linux-kernel@vger.kernel.org>; Tue, 20 Mar 2018 21:05:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=212K1GA4IIKbnBTt3r6PDb7WhFM4f8RN/+lmfj97vxU=;
        b=AyteNvwbW10hkZYxE3qK/FcQxfpPyNkLS5ONtvopO/0VPWLUDZBSROk6agDEl2BGG+
         7spPAnefA5azYun3zAxwpvU51nH1AWMk38ffTH9t0QqziOW8WwBTrxQGisxVVjHP1m3E
         BeEYWTb2Exk8b7Re5F44MonK38ug0XR3NDgW0KyE1uMjBfpCzerWxDwLVkonlBc4B6x5
         tLQoZTRh2sDd1/w8z4c8+HRdkwfkgiEbfIIikOmqkty33Z10ROyFSJxohUO1qqRZFJMV
         7vD3KGOUoqkCLfMXTfYnRGe18cL+4NblMEUinMAgqPUto9Ju1U+XZk/pJR8oBPC429co
         V3hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=212K1GA4IIKbnBTt3r6PDb7WhFM4f8RN/+lmfj97vxU=;
        b=UrPdgIwsDhkZ0DKQUWCwG2Fqw91A0UvC9qdQDQIwSuUom8ZRH1BEHTwHhp53QGbiKE
         TO1O+eELhDdkZg3oqRgWxFT9apo+VgKAGg1aXdqlwP4TVTsXlovsvaMcP2++QfswvJEe
         UbPTxhGNEdyotgmc3JMAwWsd2IkPutEHlELfOz+UK1kEBP/ltVFvdPQfp1OYdR8lHRDj
         TYDXNwvAVdMcsaDhvaxG/ZraVYcUJ2+0woK0FcxgaM9mK976bXLUIhSYESvmqzQGNVyx
         lzqFYHSRF+t0WK7ILDQDt0TlFsQvuwcqCK0go2sUdskcsnWHh18K3vDcEe9bRMm2bFoX
         G2LA==
X-Gm-Message-State: AElRT7EYaJf2T8vbjk27leovBfMycNFe+BYNIuxGdjz9pPxom8N9Cn1R
        fg+jV10av0QxJcbYFv77gKT0tw==
X-Received: by 2002:a17:902:b7cc:: with SMTP id v12-v6mr3526833plz.237.1521605119205;
        Tue, 20 Mar 2018 21:05:19 -0700 (PDT)
Received: from cisco ([128.107.241.170])
        by smtp.gmail.com with ESMTPSA id b185sm5078142pgc.2.2018.03.20.21.05.17
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 20 Mar 2018 21:05:17 -0700 (PDT)
Date:   Tue, 20 Mar 2018 22:05:11 -0600
From:   Tycho Andersen <tycho@tycho.ws>
To:     Eric Biggers <ebiggers3@gmail.com>
Cc:     David Howells <dhowells@redhat.com>, keyrings@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH 2/2] dh key: get rid of stack array allocation
Message-ID: <20180321040511.GB18067@cisco>
References: <20180313042907.29598-1-tycho@tycho.ws>
 <20180313042907.29598-2-tycho@tycho.ws>
 <20180315022112.GB641@zzz.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180315022112.GB641@zzz.localdomain>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Eric,

On Wed, Mar 14, 2018 at 07:21:12PM -0700, Eric Biggers wrote:
> On Mon, Mar 12, 2018 at 10:29:07PM -0600, Tycho Andersen wrote:
> > Similarly to the previous patch, we would like to get rid of stack
> > allocated arrays: https://lkml.org/lkml/2018/3/7/621
> > 
> > In this case, we can also use a malloc style approach to free the temporary
> > buffer, being careful to also use kzfree to free them (indeed, at least one
> > of these has a memzero_explicit, but it seems like maybe they both
> > should?).
> > 
> > Signed-off-by: Tycho Andersen <tycho@tycho.ws>
> > CC: David Howells <dhowells@redhat.com>
> > CC: James Morris <jmorris@namei.org>
> > CC: "Serge E. Hallyn" <serge@hallyn.com>
> > ---
> >  security/keys/dh.c | 27 +++++++++++++++++++++------
> >  1 file changed, 21 insertions(+), 6 deletions(-)
> > 
> > diff --git a/security/keys/dh.c b/security/keys/dh.c
> > index d1ea9f325f94..f02261b24759 100644
> > --- a/security/keys/dh.c
> > +++ b/security/keys/dh.c
> > @@ -162,19 +162,27 @@ static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
> >  			goto err;
> >  
> >  		if (zlen && h) {
> > -			u8 tmpbuffer[h];
> > +			u8 *tmpbuffer;
> >  			size_t chunk = min_t(size_t, zlen, h);
> > -			memset(tmpbuffer, 0, chunk);
> > +
> > +			err = -ENOMEM;
> > +			tmpbuffer = kzalloc(chunk, GFP_KERNEL);
> > +			if (!tmpbuffer)
> > +				goto err;
> >  
> >  			do {
> >  				err = crypto_shash_update(desc, tmpbuffer,
> >  							  chunk);
> > -				if (err)
> > +				if (err) {
> > +					kzfree(tmpbuffer);
> >  					goto err;
> > +				}
> >  
> >  				zlen -= chunk;
> >  				chunk = min_t(size_t, zlen, h);
> >  			} while (zlen);
> > +
> > +			kzfree(tmpbuffer);
> >  		}
> 
> This is just hashing zeroes.  Why not use the zeroes at the end of the 'src'
> buffer which was allocated as 'outbuf' in __keyctl_dh_compute()?  It's already
> the right size.  It might even simplify the code a bit since
> crypto_shash_update() would no longer need to be in a loop.

Can you clarify what you mean by the "end" here? It looks like the end
is copied over with the user string just before it's passed into
keyctl_dh_compute_kdf().

In any case, I agree that it's dumb to do this allocation in a loop
now. What if instead we just do one big long allocation of zlen, hash
it, and then free it? This has the advantage that it's not allocated
two functions away from where it's used...

> >  
> >  		if (src && slen) {
> > @@ -184,13 +192,20 @@ static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
> >  		}
> >  
> >  		if (dlen < h) {
> > -			u8 tmpbuffer[h];
> > +			u8 *tmpbuffer;
> > +
> > +			err = -ENOMEM;
> > +			tmpbuffer = kzalloc(h, GFP_KERNEL);
> > +			if (!tmpbuffer)
> > +				goto err;
> >  
> >  			err = crypto_shash_final(desc, tmpbuffer);
> > -			if (err)
> > +			if (err) {
> > +				kzfree(tmpbuffer);
> >  				goto err;
> > +			}
> >  			memcpy(dst, tmpbuffer, dlen);
> > -			memzero_explicit(tmpbuffer, h);
> > +			kzfree(tmpbuffer);
> >  			return 0;
> >  		} else {
> >  			err = crypto_shash_final(desc, dst);
> > -- 
> 
> Why not instead round the allocated size of 'outbuf' in keyctl_dh_compute_kdf()
> up to the next 'crypto_shash_digestsize()'-boundary?  Then this temporary buffer
> wouldn't be needed at all.

Thanks, I've made this change (and split it out into a separate patch)
for v2.

Tycho