| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2016 08:52:20 +0100
From: David Howells <dhowells@...hat.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: dhowells@...hat.com, x86@...nel.org, linux-kernel@...r.kernel.org,
linux-arch@...r.kernel.org, Borislav Petkov <bp@...en8.de>,
Nadav Amit <nadav.amit@...il.com>,
Kees Cook <keescook@...omium.org>,
Brian Gerst <brgerst@...il.com>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Jann Horn <jann@...jh.net>,
Heiko Carstens <heiko.carstens@...ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: Re: [PATCH v4 02/29] rxrpc: Avoid using stack memory in SG lists in rxkad
Andy Lutomirski <luto@...nel.org> wrote:
> - skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
> + skcipher_request_set_crypt(req, &sg, &sg, sizeof(tmpbuf), iv.x);
Don't the sg's have to be different? Aren't they both altered by the process
of reading/writing from them?
> struct rxrpc_skb_priv *sp;
> ...
> + swap(tmpbuf.xl, *(__be64 *)sp);
> +
> + sg_init_one(&sg, sp, sizeof(tmpbuf));
???? I assume you're assuming that the rxrpc_skb_priv struct contents can
arbitrarily replaced temporarily...
And using an XCHG-equivalent instruction? This won't work on a 32-bit arch
(apart from one that sports CMPXCHG8 or similar).
> /*
> - * load a scatterlist with a potentially split-page buffer
> + * load a scatterlist
> */
> -static void rxkad_sg_set_buf2(struct scatterlist sg[2],
> +static void rxkad_sg_set_buf2(struct scatterlist sg[1],
> void *buf, size_t buflen)
> {
> - int nsg = 1;
> -
> - sg_init_table(sg, 2);
> -
> + sg_init_table(sg, 1);
> sg_set_buf(&sg[0], buf, buflen);
> - if (sg[0].offset + buflen > PAGE_SIZE) {
> - /* the buffer was split over two pages */
> - sg[0].length = PAGE_SIZE - sg[0].offset;
> - sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length);
> - nsg++;
> - }
> -
> - sg_mark_end(&sg[nsg - 1]);
> -
> - ASSERTCMP(sg[0].length + sg[1].length, ==, buflen);
> }
This should be a separate patch.
David
Powered by blists - more mailing lists