Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2315471rwb; Fri, 11 Nov 2022 07:46:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf6XgOTrRy4PsqZ3jFd4428Gk7u3E9Pg0wfFmuoUkmKGuXluxaaQl3wJvXIuvRxPsLHJxmQC X-Received: by 2002:a05:6a00:a16:b0:56a:fd45:d054 with SMTP id p22-20020a056a000a1600b0056afd45d054mr3420155pfh.3.1668181590924; Fri, 11 Nov 2022 07:46:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668181590; cv=none; d=google.com; s=arc-20160816; b=hvJw+rCwomPH+bS/Y130Eb2to6tBeea37xBJ7f9R2+GILivPMEf4NOs4pmA6Le+IOi begHn4ZBu52Nqvxn4cS6QkE6zzwtJxVpadwrcAl/NY3WkO9gSDk9wby/Hyq5LJXHXj3v 80Gxe89ATdKkDZGlV0N7M7dZ3+RTexmxmoi6bnoROeX2b4EsCVis5d32o0Rn9jaHzWYN x7nlR7pQAfWJzYArJ6SXKq3weNg+O6ddsSKB/ZbAYg0+4/qFWKrKnPzMVVNsmphPtwGJ wT2eOMxsXmO/NXfX4tUCurTRSudOJaF5hTt72uD8nvgSDPoHpBOUNN9FrzaTGTSO9H19 UnUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=BG6yEELrQ+5Gqlx5pgI/WTlERb6rsrrOtH7R7yNN+oM=; b=PerbP69w0hElt7IvGc8vCJ9xALqjfwyxVLSvHeEjoOtm0ltlpMXWjpA8fr/LwZjdQT 0CIIc7xEJCoFsqKJxRQ6Uw3zUwV21MdW5vhJhKxdsRGG1hOeOTv1891b/Z0HdljoYB4V PBoxmbj1+/y6AdFuE5BiNQVkmgk9X5FZoUTqJZ9TpRthrT0LuvTqLAsg8OFB+yfJuCqS V4YzJlNR9HZ1aFG9Ue75nM0QQs43ILpqZyPFx6bUpw688c3EjC5WZL8BGfK6KVSis163 i7lrpMaYo1zGtP3kMT+AoQke3hSzGVKIhZ/hkwAyExyZwfACOEoMNXDZhJ8FyTwIfV9c B2VQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=enfrrrCd; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y139-20020a626491000000b0056ea2b142b6si2384622pfb.373.2022.11.11.07.46.07; Fri, 11 Nov 2022 07:46:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=enfrrrCd; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233189AbiKKPnz (ORCPT + 99 others); Fri, 11 Nov 2022 10:43:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233844AbiKKPny (ORCPT ); Fri, 11 Nov 2022 10:43:54 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 312C4DE93 for ; Fri, 11 Nov 2022 07:43:53 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id p21so4526706plr.7 for ; Fri, 11 Nov 2022 07:43:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=BG6yEELrQ+5Gqlx5pgI/WTlERb6rsrrOtH7R7yNN+oM=; b=enfrrrCdo9uMC850+wFIYO7P+pm42FJ+U08bCwrj3XJAI+hn9P0gg690/cimgawHHb reamDV/ndgTLANm1lUgPfa1EQKe+8lffl6A0T1W0OeQamU6ZnV6+MiAdkmyOlgI//SxY iozjDMECt1uVXMn7Ia1asPqShPOMruP74fqghr+WJ6hfecyOR6meUUPpljhiHlGYl98Q qreNlEsGKpCSK0JvUJX3Y089c+9Q79dtCB2TWUAmlSG3/tRbDbjfGtG679wXYoH1OP2v hRxLcDbSYkN+EebAzi13yNpD4qGmjPZKXU1d2Q69OgJdvZTHc6F65UM+vEGHZQ581yiy 0+8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BG6yEELrQ+5Gqlx5pgI/WTlERb6rsrrOtH7R7yNN+oM=; b=1yLoa/cAqePDn7VveKmS6NmvELmj6IbDHfFpIJNtVcQmHHM4/LVwzSvsueuclR+jCz 1+NdM4LL4EjC2RUZHbVDZsAnH60GyYST0JfAexFaH06iED9l9C3DVi5Qi8foaR6UPZuG HqpPK4sE53yE9iL04hb+6Q4x8Y4Ap3E2o1XiOUpooqA3877ud/c3YUk6EXMtj/pZFDRO maVVLDpGec7fD6U+yzpBpcMRI58Aanun8WI4Z89gdatHQgysWAK5naxolPcdLmRLOSgy akavcEMLt2yIlOBSCd2Za12nUEAwSO3dWDUZTb6tUSJPDgQpjI/ChVFaVZuBkU5Lzrec fq4w== X-Gm-Message-State: ANoB5plvWxSnmJYav8MXyRiHfkgcedZDzGcGkxcOYzwP2ytuK+r7iEQw 8gQ8ciLKRys7Ox3ytmCvpxA= X-Received: by 2002:a17:902:6a8c:b0:186:b46d:da59 with SMTP id n12-20020a1709026a8c00b00186b46dda59mr3063119plk.116.1668181432552; Fri, 11 Nov 2022 07:43:52 -0800 (PST) Received: from ?IPV6:2606:4700:110:8d19:ef92:9207:5a0d:60e7? ([2a09:bac1:3f00:98::16:12e]) by smtp.gmail.com with ESMTPSA id n5-20020aa79845000000b0056281da3bcbsm1788872pfq.149.2022.11.11.07.43.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 11 Nov 2022 07:43:52 -0800 (PST) Message-ID: Date: Sat, 12 Nov 2022 00:43:46 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: crypto: cryptd - Use request context instead of stack for sub-request To: Herbert Xu Cc: linux-crypto@vger.kernel.org, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, kirill.shutemov@linux.intel.com, richard@nod.at, viro@zeniv.linux.org.uk, sathyanarayanan.kuppuswamy@linux.intel.com, jpoimboe@kernel.org, elliott@hpe.com, x86@kernel.org, jussi.kivilinna@iki.fi, Kees Cook References: <20221106143627.30920-1-ap420073@gmail.com> <20221106143627.30920-2-ap420073@gmail.com> <51ed3735-24f0-eef0-0ca6-908c4581d143@gmail.com> Content-Language: en-US From: Taehee Yoo In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Herbert, Thank you so much for this work! On 11/11/22 18:59, Herbert Xu wrote: > On Wed, Nov 09, 2022 at 10:16:58PM +0900, Taehee Yoo wrote: >> >> I have encountered kernel panic(stack-out-of-bounds) while using the reqctx >> instead of the tfm. >> >> cryptd is used when simd drivers are used. >> cryptd_skcipher_encrypt() internally doesn't allocate a request ctx of a >> child, instead, it uses stack memory with SYNC_SKCIPHER_REQUEST_ON_STACK. >> It retains only 384 bytes for child request ctx even if a child set a large >> reqsize value with crypto_skcipher_set_reqsize(). >> aria-avx2 needs 512 bytes and aria-avx512 needs 1024 bytes. >> So, stack-out-of-bounds occurs. > > OK this is not supposed to happen. > > ---8<--- > cryptd is buggy as it tries to use sync_skcipher without going > through the proper sync_skcipher interface. In fact it doesn't > even need sync_skcipher since it's already a proper skcipher and > can easily access the request context instead of using something > off the stack. > I have tested this patch with ctr(aria-avx), ctr(aria-avx2), and ctr(aria-avx512), and it works well. stack-out-of-bounds issues have disappeared after this patch. So, I will test more and I will send a v4 patch. > Fixes: 36b3875a97b8 ("crypto: cryptd - Remove VLA usage of skcipher") > Signed-off-by: Herbert Xu > > diff --git a/crypto/cryptd.c b/crypto/cryptd.c > index 668095eca0fa..ca3a40fc7da9 100644 > --- a/crypto/cryptd.c > +++ b/crypto/cryptd.c > @@ -68,11 +68,12 @@ struct aead_instance_ctx { > > struct cryptd_skcipher_ctx { > refcount_t refcnt; > - struct crypto_sync_skcipher *child; > + struct crypto_skcipher *child; > }; > > struct cryptd_skcipher_request_ctx { > crypto_completion_t complete; > + struct skcipher_request req; > }; > > struct cryptd_hash_ctx { > @@ -227,13 +228,13 @@ static int cryptd_skcipher_setkey(struct crypto_skcipher *parent, > const u8 *key, unsigned int keylen) > { > struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(parent); > - struct crypto_sync_skcipher *child = ctx->child; > + struct crypto_skcipher *child = ctx->child; > > - crypto_sync_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); > - crypto_sync_skcipher_set_flags(child, > - crypto_skcipher_get_flags(parent) & > - CRYPTO_TFM_REQ_MASK); > - return crypto_sync_skcipher_setkey(child, key, keylen); > + crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); > + crypto_skcipher_set_flags(child, > + crypto_skcipher_get_flags(parent) & > + CRYPTO_TFM_REQ_MASK); > + return crypto_skcipher_setkey(child, key, keylen); > } > > static void cryptd_skcipher_complete(struct skcipher_request *req, int err) > @@ -258,13 +259,13 @@ static void cryptd_skcipher_encrypt(struct crypto_async_request *base, > struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req); > struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); > struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm); > - struct crypto_sync_skcipher *child = ctx->child; > - SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child); > + struct skcipher_request *subreq = &rctx->req; > + struct crypto_skcipher *child = ctx->child; > > if (unlikely(err == -EINPROGRESS)) > goto out; > > - skcipher_request_set_sync_tfm(subreq, child); > + skcipher_request_set_tfm(subreq, child); > skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP, > NULL, NULL); > skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen, > @@ -286,13 +287,13 @@ static void cryptd_skcipher_decrypt(struct crypto_async_request *base, > struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req); > struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); > struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm); > - struct crypto_sync_skcipher *child = ctx->child; > - SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child); > + struct skcipher_request *subreq = &rctx->req; > + struct crypto_skcipher *child = ctx->child; > > if (unlikely(err == -EINPROGRESS)) > goto out; > > - skcipher_request_set_sync_tfm(subreq, child); > + skcipher_request_set_tfm(subreq, child); > skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP, > NULL, NULL); > skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen, > @@ -343,9 +344,10 @@ static int cryptd_skcipher_init_tfm(struct crypto_skcipher *tfm) > if (IS_ERR(cipher)) > return PTR_ERR(cipher); > > - ctx->child = (struct crypto_sync_skcipher *)cipher; > + ctx->child = cipher; > crypto_skcipher_set_reqsize( > - tfm, sizeof(struct cryptd_skcipher_request_ctx)); > + tfm, sizeof(struct cryptd_skcipher_request_ctx) + > + crypto_skcipher_reqsize(cipher)); > return 0; > } > > @@ -353,7 +355,7 @@ static void cryptd_skcipher_exit_tfm(struct crypto_skcipher *tfm) > { > struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm); > > - crypto_free_sync_skcipher(ctx->child); > + crypto_free_skcipher(ctx->child); > } > > static void cryptd_skcipher_free(struct skcipher_instance *inst) > @@ -931,7 +933,7 @@ struct crypto_skcipher *cryptd_skcipher_child(struct cryptd_skcipher *tfm) > { > struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(&tfm->base); > > - return &ctx->child->base; > + return ctx->child; > } > EXPORT_SYMBOL_GPL(cryptd_skcipher_child); > Thanks a lot, Taehee Yoo