Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp23752imm;
        Wed, 5 Sep 2018 14:14:29 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdacncKPniGwxXgOIa2fbEB7dob2KyiMI/etmjaN4cQzm5W3e2HPW9+/FGgDRJvjCpjDvLQH
X-Received: by 2002:a63:f:: with SMTP id 15-v6mr38795663pga.430.1536182069102;
        Wed, 05 Sep 2018 14:14:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536182069; cv=none;
        d=google.com; s=arc-20160816;
        b=kBjBxkt6Y1Hvs3T4C1gM92M4qGl1I9pxa4rinl8qSqpcFTjN2KKrSQUnHinJQyiF7B
         epCqpo3951ljFUnKc+zEa9ZjG6qzQrqwJYRPsAmxMTaxuOjupFw+FZAxz0lAedLOKBDE
         X8YYywwAYo5FX4CdeUQK4yuiT6hFYWxloMAXym1qNA6R1jscmAWsDAuZhHcq/YII/ZqS
         y7bX2rTRkwdORTT0YyYIeV9XEerpKDBSF9Qlgzi0S9/GIa1dTVjUyXJigPnU+qAD/ri7
         2fTQcDpdMi+kU8XyBjuO/DuVNmq6c9r5pzJtDDJ3CIDOe2yngzQIatn/zJMTX9CpUTAe
         pPrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature;
        bh=OKsie9R6idiavEQFA9FzG93r8uZfFlPtlZcfLIjtdqs=;
        b=Ig4+CniaewessBweqcY0jv1eu0zDs0AX8M1iJ/19qwY32gSFl8xsvqAlyee4j406Al
         n/nobAyvqyEQjEHvCaonTYNnMnLNYus0sNC5DunDzXgupJBkoBoeo0WS639sYl7esXeK
         cHRLSxmUhPuTRF7BNi9mrUY9v6ZkQd6isi7uoFfe/PCKrC38s+jKbPv/5NknPKK1gE5R
         rYVvJlGPDaAKfTfgpg9TE2LHwjGjum5tJeelA83VJDXAgv/1LtMrvr4csC1MXB/+zuG2
         yr0cxHJgNrHH3MdtwFLgM9TKlcjVKNjoHaduLFzOj3zqn6BK2jo9IlnmGUYAGTwsxvoj
         VlqA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=bKa5W7Th;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u12-v6si3115194pgm.209.2018.09.05.14.14.12;
        Wed, 05 Sep 2018 14:14:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=bKa5W7Th;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727751AbeIFBmc (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 5 Sep 2018 21:42:32 -0400
Received: from mail-yw1-f68.google.com ([209.85.161.68]:38237 "EHLO
        mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727069AbeIFBmb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Sep 2018 21:42:31 -0400
Received: by mail-yw1-f68.google.com with SMTP id n21-v6so3235294ywh.5
        for <linux-kernel@vger.kernel.org>; Wed, 05 Sep 2018 14:10:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=OKsie9R6idiavEQFA9FzG93r8uZfFlPtlZcfLIjtdqs=;
        b=bKa5W7ThY9VKsL9/BZRzf23mnVpiITRCKunuyfyXaAjXo4JDPKw99Z/n1Rhng3CItn
         hLYM+wWgMlxnu2v40tAhArrsawosRJUsB0TgAGnJLT5oDl3nRfnQpqrWa58vPAMVoZZ+
         0b0YAfeIFXI0nGv6+bfqE+AFepEacOz9CutrU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=OKsie9R6idiavEQFA9FzG93r8uZfFlPtlZcfLIjtdqs=;
        b=roi5l59DaT1mkxWIJOJpXY4f1e26a6TLrGpNbl1BCXfpNiiHyXeehBWE6r07nkNWWK
         TlZOq9MnXCHohpqEmYrE++bS20gsBSpfcnm2IhmMl6WqSDw0EQpmwv7+OTUf2TB951em
         4BblOPtBXFv6h4gTp9XEVkX+joGgWUZFEhUuMclyauWgMAhKUY3vKtiJGNtENJ83oZzw
         5cg2SD0+cHh981qW8mrFhVR7k5UaBrxCVcE8Cb5e2S2GvFyWIdIw/IJeRMwmnVXPR33b
         QpWUZzRlDx5TflfFU9Kcu76HOUAfjiC7ImJvOQkQGomN99OxXG6inHQ8yn4w6uPaCNsU
         mGsA==
X-Gm-Message-State: APzg51CvMPYyFt6W663fspBr67jmtDQerUlQ/PFBh2TOArqPlz2rX7Fd
        6YcJ6eUZx9fEmTgNjWguGd+bsLOx1xA=
X-Received: by 2002:a81:288d:: with SMTP id o135-v6mr22178024ywo.171.1536181832455;
        Wed, 05 Sep 2018 14:10:32 -0700 (PDT)
Received: from mail-yw1-f44.google.com (mail-yw1-f44.google.com. [209.85.161.44])
        by smtp.gmail.com with ESMTPSA id k186-v6sm991604ywd.106.2018.09.05.14.10.32
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 05 Sep 2018 14:10:32 -0700 (PDT)
Received: by mail-yw1-f44.google.com with SMTP id z143-v6so3230364ywa.7
        for <linux-kernel@vger.kernel.org>; Wed, 05 Sep 2018 14:10:32 -0700 (PDT)
X-Received: by 2002:a0d:db10:: with SMTP id d16-v6mr22890053ywe.124.1536181520543;
 Wed, 05 Sep 2018 14:05:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:5f04:0:0:0:0:0 with HTTP; Wed, 5 Sep 2018 14:05:19 -0700 (PDT)
In-Reply-To: <CAKv+Gu9uJ+ZjBSCM=aU0GDvYR72cy2k8reXdLV5on3dOVw8KdQ@mail.gmail.com>
References: <20180904181629.20712-1-keescook@chromium.org> <20180904181629.20712-3-keescook@chromium.org>
 <CAKv+Gu9uJ+ZjBSCM=aU0GDvYR72cy2k8reXdLV5on3dOVw8KdQ@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 5 Sep 2018 14:05:19 -0700
X-Gmail-Original-Message-ID: <CAGXu5jKmcuhULMR=O9B_hJAxEK8uV36uoMxm4F3F8yYSuMzYNA@mail.gmail.com>
Message-ID: <CAGXu5jKmcuhULMR=O9B_hJAxEK8uV36uoMxm4F3F8yYSuMzYNA@mail.gmail.com>
Subject: Re: [PATCH 2/2] crypto: skcipher: Remove VLA usage for SKCIPHER_REQUEST_ON_STACK
To:     Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        Eric Biggers <ebiggers@google.com>,
        Gilad Ben-Yossef <gilad@benyossef.com>,
        Antoine Tenart <antoine.tenart@bootlin.com>,
        Boris Brezillon <boris.brezillon@bootlin.com>,
        Arnaud Ebalard <arno@natisbad.org>,
        Corentin Labbe <clabbe.montjoie@gmail.com>,
        Maxime Ripard <maxime.ripard@bootlin.com>,
        Chen-Yu Tsai <wens@csie.org>,
        Christian Lamparter <chunkeey@gmail.com>,
        Philippe Ombredanne <pombredanne@nexb.com>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Sep 5, 2018 at 2:18 AM, Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> On 4 September 2018 at 20:16, Kees Cook <keescook@chromium.org> wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> caps the skcipher request size similar to other limits and adds a sanity
>> check at registration. Looking at instrumented tcrypt output, the largest
>> is for lrw:
>>
>>         crypt: testing lrw(aes)
>>         crypto_skcipher_set_reqsize: 8
>>         crypto_skcipher_set_reqsize: 88
>>         crypto_skcipher_set_reqsize: 472
>>
>
> Are you sure this is a representative sampling? I haven't double
> checked myself, but we have plenty of drivers for peripherals in
> drivers/crypto that implement block ciphers, and they would not turn
> up in tcrypt unless you are running on a platform that provides the
> hardware in question.

Hrm, excellent point. Looking at this again:

The core part of the VLA is using this in the ON_STACK macro:

static inline unsigned int crypto_skcipher_reqsize(struct crypto_skcipher *tfm)
{
        return tfm->reqsize;
}

I don't find any struct crypto_skcipher .reqsize static initializers,
and the initial reqsize is here:

static int crypto_init_skcipher_ops_ablkcipher(struct crypto_tfm *tfm)
{
...
        skcipher->reqsize = crypto_ablkcipher_reqsize(ablkcipher) +
                            sizeof(struct ablkcipher_request);

with updates via crypto_skcipher_set_reqsize().

So I have to examine ablkcipher reqsize too:

static inline unsigned int crypto_ablkcipher_reqsize(
        struct crypto_ablkcipher *tfm)
{
        return crypto_ablkcipher_crt(tfm)->reqsize;
}

And of the crt_ablkcipher.reqsize assignments/initializers, I found:

ablkcipher reqsize:
1       struct dcp_aes_req_ctx
8       struct atmel_tdes_reqctx
8       struct cryptd_blkcipher_request_ctx
8       struct mtk_aes_reqctx
8       struct omap_des_reqctx
8       struct s5p_aes_reqctx
8       struct sahara_aes_reqctx
8       struct stm32_cryp_reqctx
8       struct stm32_cryp_reqctx
16      struct ablk_ctx
24      struct atmel_aes_reqctx
48      struct omap_aes_reqctx
48      struct omap_aes_reqctx
48      struct qat_crypto_request
56      struct artpec6_crypto_request_context
64      struct chcr_blkcipher_req_ctx
80      struct spacc_req
80      struct virtio_crypto_sym_request
136     struct qce_cipher_reqctx
168     struct n2_request_context
328     struct ccp_des3_req_ctx
400     struct ccp_aes_req_ctx
536     struct hifn_request_context
992     struct cvm_req_ctx
2456    struct iproc_reqctx_s

The base ablkcipher wrapper is:
80      struct ablkcipher_request

And in my earlier skcipher wrapper analysis, lrw was the largest
skcipher wrapper:
384     struct rctx

iproc_reqctx_s is an extreme outlier, with cvm_req_ctx at a bit less than half.

Making this a 2920 byte fixed array doesn't seem sensible at all
(though that's what's already possible to use with existing
SKCIPHER_REQUEST_ON_STACK users).

What's the right path forward here?

-Kees

-- 
Kees Cook
Pixel Security