lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 8 Jan 2022 10:28:22 +0100
From:   Ard Biesheuvel <ardb@...nel.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        Boris Brezillon <bbrezillon@...nel.org>,
        Arnaud Ebalard <arno@...isbad.org>,
        Srujana Challa <schalla@...vell.com>,
        "David S. Miller" <davem@...emloft.net>,
        Suheil Chandran <schandran@...vell.com>,
        Shijith Thotton <sthotton@...vell.com>,
        Lukasz Bartosik <lbartosik@...vell.com>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        Dan Carpenter <dan.carpenter@...cle.com>,
        Jiapeng Chong <jiapeng.chong@...ux.alibaba.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] crypto: octeontx2 - Avoid stack variable overflow

On Wed, 5 Jan 2022 at 18:50, Kees Cook <keescook@...omium.org> wrote:
>
> Building with -Warray-bounds showed a stack variable array index
> overflow. Increase the expected size of the array to avoid the warning:
>
> In file included from ./include/linux/printk.h:555,
>                  from ./include/asm-generic/bug.h:22,
>                  from ./arch/x86/include/asm/bug.h:84,
>                  from ./include/linux/bug.h:5,
>                  from ./include/linux/mmdebug.h:5,
>                  from ./include/linux/gfp.h:5,
>                  from ./include/linux/firmware.h:7,
>                  from drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:5:
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c: In function 'otx2_cpt_print_uc_dbg_info':
> ./include/linux/dynamic_debug.h:162:33: warning: array subscript 4 is above array bounds of 'u32[4]' {aka 'unsigned int[4]'} [-Warray-bounds]
>   162 |         _dynamic_func_call(fmt, __dynamic_pr_debug,             \
>       |                                 ^
> ./include/linux/dynamic_debug.h:134:17: note: in definition of macro '__dynamic_func_call'
>   134 |                 func(&id, ##__VA_ARGS__);               \
>       |                 ^~~~
> ./include/linux/dynamic_debug.h:162:9: note: in expansion of macro '_dynamic_func_call'
>   162 |         _dynamic_func_call(fmt, __dynamic_pr_debug,             \
>       |         ^~~~~~~~~~~~~~~~~~
> ./include/linux/printk.h:570:9: note: in expansion of macro 'dynamic_pr_debug'
>   570 |         dynamic_pr_debug(fmt, ##__VA_ARGS__)
>       |         ^~~~~~~~~~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1807:41: note: in expansion of macro 'pr_debug'
>  1807 |                                         pr_debug("Mask: %8.8x %8.8x %8.8x %8.8x %8.8x",
>       |                                         ^~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1765:13: note: while referencing 'mask'
>  1765 |         u32 mask[4];
>       |             ^~~~
>
> This is justified because the mask size (eng_grps->engs_num) can be at
> most 144 (OTX2_CPT_MAX_ENGINES bits), which is larger than available
> storage. 4 * 32 == 128, so this must be 5: 5 * 32bit = 150.
>

160

> Additionally clear the mask before conversion so trailing bits are zero.
>
> Cc: Herbert Xu <herbert@...dor.apana.org.au>
> Cc: Boris Brezillon <bbrezillon@...nel.org>
> Cc: Arnaud Ebalard <arno@...isbad.org>
> Cc: Srujana Challa <schalla@...vell.com>
> Cc: "David S. Miller" <davem@...emloft.net>
> Cc: Suheil Chandran <schandran@...vell.com>
> Cc: Shijith Thotton <sthotton@...vell.com>
> Cc: Lukasz Bartosik <lbartosik@...vell.com>
> Cc: linux-crypto@...r.kernel.org
> Fixes: d9d7749773e8 ("crypto: octeontx2 - add apis for custom engine groups")
> Signed-off-by: Kees Cook <keescook@...omium.org>

Acked-by: Ard Biesheuvel <ardb@...nel.org>

> ---
> v1: https://lore.kernel.org/lkml/20211215225558.1995027-1-keescook@chromium.org/
> v2:
>  - expliticly zero "mask"
>  - explain math in commit log
>  - move definition into local context
> ---
>  drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> index 4c8ebdf671ca..1b4d425bbf0e 100644
> --- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> +++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> @@ -1753,7 +1753,6 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
>         char engs_info[2 * OTX2_CPT_NAME_LENGTH];
>         struct otx2_cpt_eng_grp_info *grp;
>         struct otx2_cpt_engs_rsvd *engs;
> -       u32 mask[4];
>         int i, j;
>
>         pr_debug("Engine groups global info");
> @@ -1785,6 +1784,8 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
>                 for (j = 0; j < OTX2_CPT_MAX_ETYPES_PER_GRP; j++) {
>                         engs = &grp->engs[j];
>                         if (engs->type) {
> +                               u32 mask[5] = { };
> +
>                                 get_engs_info(grp, engs_info,
>                                               2 * OTX2_CPT_NAME_LENGTH, j);
>                                 pr_debug("Slot%d: %s", j, engs_info);
> --
> 2.30.2
>

Powered by blists - more mailing lists