Received: by 10.192.165.148 with SMTP id m20csp760362imm; Wed, 25 Apr 2018 07:17:23 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/ze3nnKol4aaMJDQ5SzjDpv5t3rEX9PlDdNZwYEcHh8CngODa3zr/d3s+j7Ls54xIMDEZx X-Received: by 10.99.95.13 with SMTP id t13mr24345044pgb.145.1524665843785; Wed, 25 Apr 2018 07:17:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524665843; cv=none; d=google.com; s=arc-20160816; b=LhDXOza/zcMzAmrGLOlelqYYI5jHcqvSmioYzlG7yd29gjVGaH7CvORXQTznBS2u/1 vFQWq0BYTeGgmR7RikUZkzP+eByMJchfI2OaEIeKEE6i1YDBKjVQcHCPOpMoMiDro7k6 vrshCe7eiNHT8MbpfIoKD460nTdRO4kHxTazMtOqJC5n5dws3mu3CmRj6c1M/Cq0K5q3 PXPwBjVwVeJs+RCbtGl3UC9hIJnyDEbQ8Se1zv0FtEAs0RiJ5i9bqF97ZGZtH3Ii8fXu aqoTXH+Ycpwk3jvEfnZbjfbcOc79XFa0bQZ7wUHEAKmVm8PgYLERu9w8aiqIzSbAws+w TVng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=Gg09D7JR+QJJS+gMBBY0SPSzRgTOt1RcAWNbHILe6Nw=; b=sC9YP7ZOerFQIjpR9Rca73IA9whxifiMryWdGH3aUi2vbmr/4ovQa3+Y25c019g6Ld CeZHMLEsC/Bpsw+A0lCU3xtM4WMLEAltvch/DESuBooqxHDm/WIY9ENRG1Wtu5Rv63so +qXqEcpkIVKHq1fmlYtELDxuRRgIqKRbkYxw+8DchYiAzV0yXjpQwThhWJkK3UjAyLRH lHcPP2tG56icQx8NHX8Ynq0zYNfdFCiMk/EPEIan9yFIBan2LCTSgftuJwPv9iRuq4x0 VHXWw7rPpUSMLy4qQIdMY5GRi22t4oO24kF4VXHDVK2ajg+V1K2ezMyAwus6HbqBwDFy 9TQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=qBnQQNGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d20-v6si16968358plr.206.2018.04.25.07.17.09; Wed, 25 Apr 2018 07:17:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=qBnQQNGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753939AbeDYOPQ (ORCPT + 99 others); Wed, 25 Apr 2018 10:15:16 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:53983 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753632AbeDYOPM (ORCPT ); Wed, 25 Apr 2018 10:15:12 -0400 Received: by mail-it0-f65.google.com with SMTP id m134-v6so20155879itb.3 for ; Wed, 25 Apr 2018 07:15:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Gg09D7JR+QJJS+gMBBY0SPSzRgTOt1RcAWNbHILe6Nw=; b=qBnQQNGjBhdSUTWh+N6zu5iHLSKlV7Lz61GbJRbEdfQq7T5HDa/xJxHPevyQK/IEQh Dx0306o5ptwQ1nqC5bDZSDeaFHSt038WteDyd08lPe5aZlQjnJzGF79cL4Sr0j1ZdyZU wjsd2mOQpaPYwbtWSgRx4y+EnDcr2g4lKhzzLKfN0CWwwlqo6DN/o8UiG3S5qIXREdTi V2KKL5bdp6ATjPcLWgg+8thgIciG4NA1zF/BrigI2rnyF1NDQIAkEV5yNO4x/V/YEd5V gu1JKcIebQYYPQvi5cpebc9EQxb6VK94NKfiVOy2v3rEm4BnO2Wdi+WYLWTYbHlQ5ns8 G+QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Gg09D7JR+QJJS+gMBBY0SPSzRgTOt1RcAWNbHILe6Nw=; b=chRpEQrc05OKikNuNmUbtbQE3VwSKepAm5wikwoyIuexteSxajL253Xkc2QT2ZrqAe XI2hlJrue1EOzTf/fOB6XDjczgz2GOBU+Sz+xDKA9NspzpuqqSBVdGikcFMjjFjO7rjH EaRWXApJ8/jbHy5wzfzby0C5ULtYcUMn+e5xwcdp3o5g5zGmO33L9PKxVqmxwos4qrqc Z8L5cxh5brTnD9HiL9AjaGKmKEz8l9TWy2UKZSy5mmhHIMpkT4l3tX7ATXyDn2NXFUcn MKOFpKgDyY86qZfkRhNjWQIibnD36QivOnC5Gc8OvvXtQz4e1BnrEF2vwSRMPdKxvRRF +ILg== X-Gm-Message-State: ALQs6tCF1UpmxpGDSes8AfJXkxf4UjbuQD4bSNiD6Rd8Fi88kEQug1Tz OkWUkzV+ncjFWcArvb2HXQhrgg== X-Received: by 2002:a24:594e:: with SMTP id p75-v6mr24324402itb.135.1524665711322; Wed, 25 Apr 2018 07:15:11 -0700 (PDT) Received: from cisco ([8.24.24.129]) by smtp.gmail.com with ESMTPSA id g62-v6sm5659938ioj.17.2018.04.25.07.15.09 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 25 Apr 2018 07:15:09 -0700 (PDT) Date: Wed, 25 Apr 2018 08:15:07 -0600 From: Tycho Andersen To: Tetsuo Handa Cc: keescook@chromium.org, serge@hallyn.com, ebiggers3@gmail.com, dhowells@redhat.com, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, jmorris@namei.org, Jason@zx2c4.com Subject: Re: [PATCH 1/3] big key: get rid of stack array allocation Message-ID: <20180425141507.GA4240@cisco> References: <20180424143539.GB3125@cisco> <201804242346.FHI69745.SQMHFVOOFLFOJt@I-love.SAKURA.ne.jp> <20180424145104.GC3125@cisco> <20180424195845.GB23575@mail.hallyn.com> <201804251936.GAG73463.HOJtFFOQSLFOVM@I-love.SAKURA.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201804251936.GAG73463.HOJtFFOQSLFOVM@I-love.SAKURA.ne.jp> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 25, 2018 at 07:36:21PM +0900, Tetsuo Handa wrote: > Kees Cook wrote: > > On Tue, Apr 24, 2018 at 12:58 PM, Serge E. Hallyn wrote: > > > Quoting Tycho Andersen (tycho@tycho.ws): > > >> On Tue, Apr 24, 2018 at 11:46:38PM +0900, Tetsuo Handa wrote: > > >> > Tycho Andersen wrote: > > >> > > > > + if (unlikely(crypto_aead_ivsize(big_key_aead) != GCM_AES_IV_SIZE)) { > > >> > > > > + WARN(1, "big key algorithm changed?"); > > >> > > > >> > Please avoid using WARN() WARN_ON() etc. > > >> > syzbot would catch it and panic() due to panic_on_warn == 1. > > >> > > >> But it is really a programming bug in this case (and it seems better > > >> than BUG()...). Isn't this exactly the sort of case we want to catch? > > >> > > >> Tycho > > > > > > Right - is there a url to some discussion about this? Because not > > > using WARN when WARN should be used, because it troubles a bot, seems > > > the wrong solution. If this *is* what's been agreed upon, then > > > what is the new recommended thing to do here? > > > > BUG() is basically supposed to never be used, as decreed by Linus. > > WARN() here is entirely correct: if we encounter a case where > > crypto_aead_ivsize(big_key_aead) != GCM_AES_IV_SIZE is not true, we > > run the risk of stack memory corruption. If this is an EXPECTED > > failure case, then okay, drop the WARN() but we have to keep the > > -EINVAL. > > big_key_init() is __init function of built-in module which will be called > only once upon boot, isn't it? Then, there is no point to continue after > WARN(); BUG() is better here. I don't think so. The machine can still boot and work just fine, but big key crypto will not be available. I suspect there are some machines out there that don't need big key, so there's no reason for the boot to fail. That's the rub about WARN vs BUG -- that in most cases things can continue on happily. > Moreover, if this is meant for sanity check in case something went wrong > (e.g. memory corruption), it is better to check at run time like But the algorithm is hard coded at the top of the file, so one check is enough. Tycho