| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jan 2022 17:24:16 +1100
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Kees Cook <keescook@...omium.org>
Cc: Boris Brezillon <bbrezillon@...nel.org>,
Arnaud Ebalard <arno@...isbad.org>,
Srujana Challa <schalla@...vell.com>,
"David S. Miller" <davem@...emloft.net>,
Suheil Chandran <schandran@...vell.com>,
Shijith Thotton <sthotton@...vell.com>,
Lukasz Bartosik <lbartosik@...vell.com>,
linux-crypto@...r.kernel.org, Ard Biesheuvel <ardb@...nel.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Jiapeng Chong <jiapeng.chong@...ux.alibaba.com>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v3] crypto: octeontx2 - Avoid stack variable overflow
On Wed, Jan 12, 2022 at 12:38:11PM -0800, Kees Cook wrote:
> Building with -Warray-bounds showed a stack variable array index
> overflow. Increase the expected size of the array to avoid the warning:
>
> In file included from ./include/linux/printk.h:555,
> from ./include/asm-generic/bug.h:22,
> from ./arch/x86/include/asm/bug.h:84,
> from ./include/linux/bug.h:5,
> from ./include/linux/mmdebug.h:5,
> from ./include/linux/gfp.h:5,
> from ./include/linux/firmware.h:7,
> from drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:5:
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c: In function 'otx2_cpt_print_uc_dbg_info':
> ./include/linux/dynamic_debug.h:162:33: warning: array subscript 4 is above array bounds of 'u32[4]' {aka 'unsigned int[4]'} [-Warray-bounds]
> 162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
> | ^
> ./include/linux/dynamic_debug.h:134:17: note: in definition of macro '__dynamic_func_call'
> 134 | func(&id, ##__VA_ARGS__); \
> | ^~~~
> ./include/linux/dynamic_debug.h:162:9: note: in expansion of macro '_dynamic_func_call'
> 162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
> | ^~~~~~~~~~~~~~~~~~
> ./include/linux/printk.h:570:9: note: in expansion of macro 'dynamic_pr_debug'
> 570 | dynamic_pr_debug(fmt, ##__VA_ARGS__)
> | ^~~~~~~~~~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1807:41: note: in expansion of macro 'pr_debug'
> 1807 | pr_debug("Mask: %8.8x %8.8x %8.8x %8.8x %8.8x",
> | ^~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1765:13: note: while referencing 'mask'
> 1765 | u32 mask[4];
> | ^~~~
>
> This is justified because the mask size (eng_grps->engs_num) can be at
> most 144 (OTX2_CPT_MAX_ENGINES bits), which is larger than available
> storage. 4 * 32 == 128, so this must be 5: 5 * 32bit = 160.
>
> Additionally clear the mask before conversion so trailing bits are zero.
>
> Cc: Herbert Xu <herbert@...dor.apana.org.au>
> Cc: Boris Brezillon <bbrezillon@...nel.org>
> Cc: Arnaud Ebalard <arno@...isbad.org>
> Cc: Srujana Challa <schalla@...vell.com>
> Cc: "David S. Miller" <davem@...emloft.net>
> Cc: Suheil Chandran <schandran@...vell.com>
> Cc: Shijith Thotton <sthotton@...vell.com>
> Cc: Lukasz Bartosik <lbartosik@...vell.com>
> Cc: linux-crypto@...r.kernel.org
> Fixes: d9d7749773e8 ("crypto: octeontx2 - add apis for custom engine groups")
> Acked-by: Ard Biesheuvel <ardb@...nel.org>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v1: https://lore.kernel.org/lkml/20211215225558.1995027-1-keescook@chromium.org/
> v2: https://lore.kernel.org/lkml/20220105174953.2433019-1-keescook@chromium.org/
> v3:
> - Fix commit log math typo
> - Add Ack
> ---
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists