| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <54e89cea-a1a1-90a3-912f-209172bb41ae@embeddedor.com> Date: Fri, 16 Mar 2018 08:19:31 -0500 From: "Gustavo A. R. Silva" <gustavo@...eddedor.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] USB: wusbcore: crypto: Remove VLA usage I just discovered an issue with this patch. Please, drop it. I'll send v2 shortly. Thanks -- Gustavo On 03/16/2018 08:01 AM, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation instead. > > The use of stack Variable Length Arrays needs to be avoided, as they > can be a vector for stack exhaustion, which can be both a runtime bug > or a security flaw. Also, in general, as code evolves it is easy to > lose track of how big a VLA can get. Thus, we can end up having runtime > failures that are hard to debug. > > Also, fixed as part of the directive to remove all VLAs from > the kernel: https://lkml.org/lkml/2018/3/7/621 > > Notice that in this particular case, an alternative to kzalloc is kcalloc, > in which case the code would look as follows instead: > > iv = kcalloc(crypto_skcipher_ivsize(tfm_cbc), sizeof(*iv), GFP_KERNEL); > > but if the data type of _iv_ never changes, or the type size is always one > byte, kzalloc is good enough. > > Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com> > --- > drivers/usb/wusbcore/crypto.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/wusbcore/crypto.c b/drivers/usb/wusbcore/crypto.c > index 4c00be2d..3511473 100644 > --- a/drivers/usb/wusbcore/crypto.c > +++ b/drivers/usb/wusbcore/crypto.c > @@ -202,7 +202,7 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc, > struct scatterlist sg[4], sg_dst; > void *dst_buf; > size_t dst_size; > - u8 iv[crypto_skcipher_ivsize(tfm_cbc)]; > + u8 *iv; > size_t zero_padding; > > /* > @@ -222,9 +222,11 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc, > zero_padding; > dst_buf = kzalloc(dst_size, GFP_KERNEL); > if (!dst_buf) > - goto error_dst_buf; > + goto error_alloc; > > - memset(iv, 0, sizeof(iv)); > + iv = kzalloc(crypto_skcipher_ivsize(tfm_cbc), GFP_KERNEL); > + if (!iv) > + goto error_alloc; > > /* Setup B0 */ > scratch->b0.flags = 0x59; /* Format B0 */ > @@ -276,8 +278,9 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc, > bytewise_xor(mic, &scratch->ax, iv, 8); > result = 8; > error_cbc_crypt: > + kfree(iv); > kfree(dst_buf); > -error_dst_buf: > +error_alloc: > return result; > } > >
Powered by blists - more mailing lists