Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp165513imm; Tue, 17 Jul 2018 16:13:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpddbVEnLpQByfHJ10n2WP6fa2hn95kjPqQYi6m9ffEOYu6hF+1NyL8O+RGmQ5eykR+0QvIB X-Received: by 2002:a65:4344:: with SMTP id k4-v6mr3379728pgq.409.1531869230941; Tue, 17 Jul 2018 16:13:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531869230; cv=none; d=google.com; s=arc-20160816; b=dBX4iwwA52EGzi87ri+qwISJMJJ99LEM6k2PtdNXGIgkoKScf/G98agQ0m5eWqsZMs pvWT2s2qrJGjwkCiIZf82pk6KEk6M5UbKfh2zLvLqDFFG/Wpu4IktlNu2c3R+0ddnqJ4 HT5TEGOKd7w5hXyELqPn391XLgWUYnx8w0v+sW4uChW82f0CIyeZy959UaW9Jd8VcxJF Hhbm9Ez/ERSeqoi71KwDLRji+FZqLgERR2AumZ+4SzBofmBZ9210hUOWzM+U5hbw/Gnx Dm0aJzk4juLQr8xwJvMD+7U+I+iPBDgjuaVZF47V3uCRb5RCsHNPhwSIFU/bLxB9Whpd KDAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=QJRAvN4N6MElqlv6d187PoU1FqhmqL9vB9z1kpQaT98=; b=pn/c6Rv41+QOER7beeFBczw7B8ApYR5OqkskpTQm8sZadb07Is+GjrvsJo+W8X9wrL 9X+9scq1TXc+62uPf/TRo4bUi7HAslgYZaZmbcknPI7N5OLl+L6owJbYqbM57iK6QSXS 7DgmJ/OYAWd6tAqU+UHASkrOKZfoQIJUrAyy63dUUrOUSi41ap+kDFxM4NaM0fuvwr8/ RCoOoju3MggQp//6++JbS/fVBl4X94Ilq3x3JbdaoNsFv2I5m5/2k8N1cfCY9xyMgTox ROz2uInQo1bkZFw9RVaSBKSkiB5vyLYPBoX2K3b5A2BkO0HI000B6+8Hjhu5jKsdjKtO 3UDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Js6tEsAP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 85-v6si1930613pfm.264.2018.07.17.16.13.36; Tue, 17 Jul 2018 16:13:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Js6tEsAP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731259AbeGQXrG (ORCPT + 99 others); Tue, 17 Jul 2018 19:47:06 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:45196 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730052AbeGQXrG (ORCPT ); Tue, 17 Jul 2018 19:47:06 -0400 Received: by mail-pg1-f196.google.com with SMTP id f1-v6so1077072pgq.12; Tue, 17 Jul 2018 16:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=QJRAvN4N6MElqlv6d187PoU1FqhmqL9vB9z1kpQaT98=; b=Js6tEsAPJ+Z05AZv63giOf1fDEKuKAAaRxQtUuA+3nR9KGv8NWcvB6UaNGxAEgE8l+ KVRNFG9BMmM7iqq7U5g1jxgh6dLtDI68oWBRxotVMh0040+mPYq7C3pSu3OWbD1KY14a 7D3l9rtaHf0q59Gv4KHKB1auFck+sopYjcOZty2wsrMKiQVu2hmpvviHZ6kXWLaOUkSt z7NAoHzrvJA3bvEL54SXjTCZnlpGUBReWTCxk/GIXZspLNDp4LFb8kz42P6Wzo9gKl3v WlKXAhE9q2meKMhGASoS8elDJ1ddsyAxF3vTNjOIuCknmztK10BaMYVMeq2sTDjGMUhQ CkEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=QJRAvN4N6MElqlv6d187PoU1FqhmqL9vB9z1kpQaT98=; b=gDkiWC7FjVqGuBKqBjPEUQVGPEkFfSXGrNIvLF0s0xFsFCuD8T0zOB3OoV7mzc3YNr 2XQqU/uUYEq7vdfT9UwpSmWEcNLMYoha5+xbPE9UZLCQFksYWNy7mtNLxzQrNFK/LAgt sVTUOi0FkbSC3OXrYRvzHPnz35ZNsMSiHSlj5JKZhMeQ1As36Tw0+xduegWqg7T7D7ji p9bWnXMlTY2425m0Mw8O+0ljAgETa3aw1LvBZlRw3HILJcKPio/bZasQ3c0ZI2MPAcI4 4jT1Cq8Zz8K8bONUI0LrtAaEIqKgcyKA3vBhzPmHeGtcNReEaMZVlrnVEZzIsTLSxy3C JLKQ== X-Gm-Message-State: AOUpUlHQVjS+qyJG47coSuaTN21vG+kW97YUP0eZeOth3kKA5WMk0XFl DGhozVSi2lqmQAtKmz5ZUUE= X-Received: by 2002:a62:2983:: with SMTP id p125-v6mr2684913pfp.128.1531869132199; Tue, 17 Jul 2018 16:12:12 -0700 (PDT) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id y27-v6sm3412190pff.181.2018.07.17.16.12.11 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 17 Jul 2018 16:12:11 -0700 (PDT) Date: Tue, 17 Jul 2018 16:12:09 -0700 From: Eric Biggers To: Kees Cook Cc: Herbert Xu , Giovanni Cabiddu , Arnd Bergmann , "Gustavo A. R. Silva" , Mike Snitzer , Eric Biggers , qat-linux@intel.com, LKML , dm-devel@redhat.com, linux-crypto , Lars Persson , Tim Chen , Alasdair Kergon , Rabin Vincent Subject: Re: [dm-devel] [PATCH v5 05/11] crypto: ahash: Remove VLA usage Message-ID: <20180717231209.GJ75957@gmail.com> References: <20180717042150.37761-1-keescook@chromium.org> <20180717042150.37761-6-keescook@chromium.org> <20180717163936.GB75957@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10+35 (c786a508) (2018-06-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 17, 2018 at 01:07:50PM -0700, Kees Cook wrote: > On Tue, Jul 17, 2018 at 9:39 AM, Eric Biggers wrote: > > On Mon, Jul 16, 2018 at 09:21:44PM -0700, Kees Cook wrote: > >> In the quest to remove all stack VLA usage from the kernel[1], this > >> introduces max size macros for ahash, as already done for shash, and > >> adjust the crypto user to max state size. > >> > >> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com > >> > >> Signed-off-by: Kees Cook > >> --- > >> crypto/ahash.c | 4 ++-- > >> crypto/algif_hash.c | 2 +- > >> include/crypto/hash.h | 3 +++ > >> 3 files changed, 6 insertions(+), 3 deletions(-) > >> > >> diff --git a/crypto/ahash.c b/crypto/ahash.c > >> index a64c143165b1..6435bdbe42fd 100644 > >> --- a/crypto/ahash.c > >> +++ b/crypto/ahash.c > >> @@ -550,8 +550,8 @@ static int ahash_prepare_alg(struct ahash_alg *alg) > >> { > >> struct crypto_alg *base = &alg->halg.base; > >> > >> - if (alg->halg.digestsize > PAGE_SIZE / 8 || > >> - alg->halg.statesize > PAGE_SIZE / 8 || > >> + if (alg->halg.digestsize > AHASH_MAX_DIGESTSIZE || > >> + alg->halg.statesize > AHASH_MAX_STATESIZE || > >> alg->halg.statesize == 0) > >> return -EINVAL; > >> > >> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c > >> index bfcf595fd8f9..8974ee8ebead 100644 > >> --- a/crypto/algif_hash.c > >> +++ b/crypto/algif_hash.c > >> @@ -239,7 +239,7 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags, > >> struct alg_sock *ask = alg_sk(sk); > >> struct hash_ctx *ctx = ask->private; > >> struct ahash_request *req = &ctx->req; > >> - char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req)) ? : 1]; > >> + char state[AHASH_MAX_STATESIZE]; > >> struct sock *sk2; > >> struct alg_sock *ask2; > >> struct hash_ctx *ctx2; > >> diff --git a/include/crypto/hash.h b/include/crypto/hash.h > >> index ae14cc0e0cdb..4fcd0e2368cd 100644 > >> --- a/include/crypto/hash.h > >> +++ b/include/crypto/hash.h > >> @@ -64,6 +64,9 @@ struct ahash_request { > >> void *__ctx[] CRYPTO_MINALIGN_ATTR; > >> }; > >> > >> +#define AHASH_MAX_DIGESTSIZE 512 > >> +#define AHASH_MAX_STATESIZE 512 > >> + > > > > Why is AHASH_MAX_DIGESTSIZE (512) so much larger than SHASH_MAX_DIGESTSIZE (64)? > > I would have expected them to be the same. > > This was a direct replacement of the PAGE_SIZE / 8 original limit. > This this didn't trip any frame size warnings, it seemed like we > didn't need to do the more narrow limitations done elsewhere. > > I am, of course, happy to do a manual review and find a lower > alternative if that's desired. > I just don't see why ahash algorithms would need such a huge maximum digest size. Don't the 'ahash' algorithms all have 'shash' equivalents too? Is there actually any hash algorithm, either shash or ahash, in the Linux kernel that has a digest size greater than 64 bytes (512 bits)? Note that for a real cryptographic hash there isn't really any need for a digest size larger than that, since that already gives you 256-bit collision resistance; that's why SHA-2 and SHA-3 max out at that size. - Eric