Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1105899imm; Thu, 6 Sep 2018 15:41:58 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZfc1qLE7qlc28o2J8ji4Ou5S3GQxPLKYYQ3Lp2K2zgc2TM+Abg/wLQJP/iQRcbSETW0KKd X-Received: by 2002:a17:902:704c:: with SMTP id h12-v6mr4947312plt.237.1536273718342; Thu, 06 Sep 2018 15:41:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536273718; cv=none; d=google.com; s=arc-20160816; b=SDtqmhVR8MXnIQAIJxikesHknHQRoWjYiXCTemT/7T3kH8Pyqoox/PU3cG0VYpIGUq ouWtjLoqCgx25cpvGBUIdtXXSdPpPAZcauE80qrh8I67Lgea3nTxKPK7K2YP31v+1B4c zIFC6/7b3SSOfJcDfAMWNM+zUXk8D7iNp2yMpb5fViUsLK19+0UiUp2eOgLqEmgAB2mK PthSaZT94VRPBPTeD7Yeukl9fMCj29TyAa8fD4Ms8gT+BBU+QGAbuL54Qg5mPhP7K7+q /0zAGc0g7OT0m/890h7mLqNC3NiYDeUB2DmiA2FSLpJM8Io13ZaNqHHoUDhXdSqCjI9z o8EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=G34fq9Mov16VHQeRQWiSMoMRJfFib/6fiWgZPLITTUU=; b=UrlrWN9XvOndOUUb9PEbbKVrK5J4CsgrI9hrcWvZ+E78jSNBkpve7m00NU1COiPMFn as+CZWXL0A7cUqfU2FHdksgAR/OTwbQeX56SQSClD7Nx4qTOe4z74z8CBjfWqm9fAECi ByOW7DO+ApP+k6LMlNMZK21UdLTgzRDVSHjMT7kQ3erym1+ZqBOHxbYepMk8AvpFedAK pHagchmHTYtWzGNiVQozJD1XwxsBWkm1SkrTqUAXgJm80wVbEaRNrFX6TiQc+DlqDtyB 0r8YIxuhl83Cyum6LS1R51lbyOxNZpuUN+FM+KLxFdJkOI2J2ia9u4vE6YWskZ0TFxnN V4pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="AQh9/1bL"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h17-v6si5964078pgg.218.2018.09.06.15.41.42; Thu, 06 Sep 2018 15:41:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="AQh9/1bL"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728569AbeIGDAm (ORCPT + 99 others); Thu, 6 Sep 2018 23:00:42 -0400 Received: from mail-yw1-f68.google.com ([209.85.161.68]:36412 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728344AbeIGDAm (ORCPT ); Thu, 6 Sep 2018 23:00:42 -0400 Received: by mail-yw1-f68.google.com with SMTP id w202-v6so4707923yww.3 for ; Thu, 06 Sep 2018 15:23:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G34fq9Mov16VHQeRQWiSMoMRJfFib/6fiWgZPLITTUU=; b=AQh9/1bLGkzW+2T9dJTtTUMjLyFlfyK6wDUPJ+M8PuvXfwvGfrIVS8vmQ5DokatpC7 nUZNKT2dNh0Q2N9Bqi1tlxj3ty6E5oertRhkJgDR7pt9q5j655vwPOmfG/8dxbl2fj5z H/C3f3mndZ3moD2E8PwzX4TiTOxRHoHv/GV5E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G34fq9Mov16VHQeRQWiSMoMRJfFib/6fiWgZPLITTUU=; b=lcfkJ0r5ThB3ZZl2RUMuUdQSHQrqitEiltA/oXZ/nDzg5QGWCRDMwXRhqPlM5zYYvW fhYhaIty9WO3YXBCFsuTOIl8Sj6WfkMmUQckf3WtqNZyU528Kt4mkOAmS9xuNf2RBzBS XL5wa7Vo8I+uoI393/2GJSmZBaGf3pj1fNbRY7B+pIx63LXiOffrLULE2kC6eYNILFSF jxq1siXLFiZwFP5eySi1ET9PRdoyQoGbnTOaO3Axb1DVZqJUMxHDhYlOQbGmP5qnX4cM SXFhUDWtqC9yXxH5DO30IjhC0ppWTYaq3t7VEMtXpVQWQ2kNKd436RVrZmQEaUnG9AoN FymA== X-Gm-Message-State: APzg51BFItcyX3T6wHy0gtHXweziIs+K2e4J1iQSfj0h0/gFt0wZE1bm V94FmFt14yIkKbxTmsu/cr1MKGrZWW0= X-Received: by 2002:a81:717:: with SMTP id 23-v6mr861268ywh.290.1536272584165; Thu, 06 Sep 2018 15:23:04 -0700 (PDT) Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com. [209.85.219.179]) by smtp.gmail.com with ESMTPSA id 201-v6sm2227556ywn.103.2018.09.06.15.23.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Sep 2018 15:23:02 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id m123-v6so4769564ybm.0 for ; Thu, 06 Sep 2018 15:23:02 -0700 (PDT) X-Received: by 2002:a25:1345:: with SMTP id 66-v6mr2643636ybt.171.1536272581869; Thu, 06 Sep 2018 15:23:01 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:5f04:0:0:0:0:0 with HTTP; Thu, 6 Sep 2018 15:23:01 -0700 (PDT) In-Reply-To: References: <20180904181629.20712-1-keescook@chromium.org> <20180904181629.20712-3-keescook@chromium.org> From: Kees Cook Date: Thu, 6 Sep 2018 15:23:01 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 2/2] crypto: skcipher: Remove VLA usage for SKCIPHER_REQUEST_ON_STACK To: Ard Biesheuvel Cc: Herbert Xu , Eric Biggers , Gilad Ben-Yossef , Antoine Tenart , Boris Brezillon , Arnaud Ebalard , Corentin Labbe , Maxime Ripard , Chen-Yu Tsai , Christian Lamparter , Philippe Ombredanne , Jonathan Cameron , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Linux Kernel Mailing List , linux-arm-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 6, 2018 at 1:22 PM, Kees Cook wrote: > On Wed, Sep 5, 2018 at 5:43 PM, Kees Cook wrote: >> On Wed, Sep 5, 2018 at 3:49 PM, Ard Biesheuvel >> wrote: >>> On 5 September 2018 at 23:05, Kees Cook wrote: >>>> On Wed, Sep 5, 2018 at 2:18 AM, Ard Biesheuvel >>>> wrote: >>>>> On 4 September 2018 at 20:16, Kees Cook wrote: >>>>>> In the quest to remove all stack VLA usage from the kernel[1], this >>>>>> caps the skcipher request size similar to other limits and adds a sanity >>>>>> check at registration. Looking at instrumented tcrypt output, the largest >>>>>> is for lrw: >>>>>> >>>>>> crypt: testing lrw(aes) >>>>>> crypto_skcipher_set_reqsize: 8 >>>>>> crypto_skcipher_set_reqsize: 88 >>>>>> crypto_skcipher_set_reqsize: 472 >>>>>> >>>>> >>>>> Are you sure this is a representative sampling? I haven't double >>>>> checked myself, but we have plenty of drivers for peripherals in >>>>> drivers/crypto that implement block ciphers, and they would not turn >>>>> up in tcrypt unless you are running on a platform that provides the >>>>> hardware in question. >>>> >>>> Hrm, excellent point. Looking at this again: >>>> [...] >>>> And of the crt_ablkcipher.reqsize assignments/initializers, I found: >>>> >>>> ablkcipher reqsize: >>>> 1 struct dcp_aes_req_ctx >>>> 8 struct atmel_tdes_reqctx >>>> 8 struct cryptd_blkcipher_request_ctx >>>> 8 struct mtk_aes_reqctx >>>> 8 struct omap_des_reqctx >>>> 8 struct s5p_aes_reqctx >>>> 8 struct sahara_aes_reqctx >>>> 8 struct stm32_cryp_reqctx >>>> 8 struct stm32_cryp_reqctx >>>> 16 struct ablk_ctx >>>> 24 struct atmel_aes_reqctx >>>> 48 struct omap_aes_reqctx >>>> 48 struct omap_aes_reqctx >>>> 48 struct qat_crypto_request >>>> 56 struct artpec6_crypto_request_context >>>> 64 struct chcr_blkcipher_req_ctx >>>> 80 struct spacc_req >>>> 80 struct virtio_crypto_sym_request >>>> 136 struct qce_cipher_reqctx >>>> 168 struct n2_request_context >>>> 328 struct ccp_des3_req_ctx >>>> 400 struct ccp_aes_req_ctx >>>> 536 struct hifn_request_context >>>> 992 struct cvm_req_ctx >>>> 2456 struct iproc_reqctx_s > > All of these are ASYNC (they're all crt_ablkcipher), so IIUC, I can ignore them. > >>>> The base ablkcipher wrapper is: >>>> 80 struct ablkcipher_request >>>> >>>> And in my earlier skcipher wrapper analysis, lrw was the largest >>>> skcipher wrapper: >>>> 384 struct rctx >>>> >>>> iproc_reqctx_s is an extreme outlier, with cvm_req_ctx at a bit less than half. >>>> >>>> Making this a 2920 byte fixed array doesn't seem sensible at all >>>> (though that's what's already possible to use with existing >>>> SKCIPHER_REQUEST_ON_STACK users). >>>> >>>> What's the right path forward here? >>>> >>> >>> The skcipher implementations based on crypto IP blocks are typically >>> asynchronous, and I wouldn't be surprised if a fair number of >>> SKCIPHER_REQUEST_ON_STACK() users are limited to synchronous >>> skciphers. >> >> Looks similar to ahash vs shash. :) Yes, so nearly all >> crypto_alloc_skcipher() users explicitly mask away ASYNC. What's left >> appears to be: >> >> crypto/drbg.c: sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); >> crypto/tcrypt.c: tfm = crypto_alloc_skcipher(algo, 0, async ? 0 >> : CRYPTO_ALG_ASYNC); >> drivers/crypto/omap-aes.c: ctx->ctr = >> crypto_alloc_skcipher("ecb(aes)", 0, 0); >> drivers/md/dm-crypt.c: cc->cipher_tfm.tfms[i] = >> crypto_alloc_skcipher(ciphermode, 0, 0); >> drivers/md/dm-integrity.c: ic->journal_crypt = >> crypto_alloc_skcipher(ic->journal_crypt_alg.alg_string, 0, 0); >> fs/crypto/keyinfo.c: struct crypto_skcipher *tfm = >> crypto_alloc_skcipher("ecb(aes)", 0, 0); >> fs/crypto/keyinfo.c: ctfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); >> fs/ecryptfs/crypto.c: crypt_stat->tfm = >> crypto_alloc_skcipher(full_alg_name, 0, 0); >> >> I'll cross-reference this with SKCIPHER_REQUEST_ON_STACK... > > None of these use SKCIPHER_REQUEST_ON_STACK that I can find. > >>> So we could formalize this and limit SKCIPHER_REQUEST_ON_STACK() to >>> synchronous skciphers, which implies that the reqsize limit only has >>> to apply synchronous skciphers as well. But before we can do this, we >>> have to identify the remaining occurrences that allow asynchronous >>> skciphers to be used, and replace them with heap allocations. >> >> Sounds good; thanks! > > crypto_init_skcipher_ops_blkcipher() doesn't touch reqsize at all, so > the only places I can find it gets changed are with direct callers of > crypto_skcipher_set_reqsize(), which, when wrapping a sync blkcipher > start with a reqsize == 0. So, the remaining non-ASYNC callers ask > for: > > 4 struct sun4i_cipher_req_ctx > 96 struct crypto_rfc3686_req_ctx > 375 sum: > 160 crypto_skcipher_blocksize(cipher) (max) > 152 struct crypto_cts_reqctx > 63 align_mask (max) > 384 struct rctx > > So, following your patch to encrypt/decrypt, I can add reqsize check > there. How does this look, on top of your patch? > > --- a/include/crypto/skcipher.h > +++ b/include/crypto/skcipher.h > @@ -144,9 +144,10 @@ struct skcipher_alg { > /* > * This must only ever be used with synchronous algorithms. > */ > +#define MAX_SYNC_SKCIPHER_REQSIZE 384 > #define SKCIPHER_REQUEST_ON_STACK(name, tfm) \ > char __##name##_desc[sizeof(struct skcipher_request) + \ > - crypto_skcipher_reqsize(tfm)] CRYPTO_MINALIGN_ATTR = { 1 } \ > + MAX_SYNC_SKCIPHER_REQSIZE] CRYPTO_MINALIGN_ATTR = { 1 } \ > struct skcipher_request *name = (void *)__##name##_desc If the lack of named initializer is too ugly, we could do something crazy like: #define MAX_SYNC_SKCIPHER_REQSIZE 384 struct skcipher_request_on_stack { union { struct skcipher_request req; char bytes[sizeof(struct skcipher_request) + MAX_SYNC_SKCIPHER_REQSIZE]; }; }; /* * This must only ever be used with synchronous algorithms. */ #define SKCIPHER_REQUEST_ON_STACK(name) \ struct skcipher_request_on_stack __##name##_req = \ { req.__onstack = 1 }; \ struct skcipher_request *name = &(__##name##_req.req) -Kees -- Kees Cook Pixel Security