| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5j+XG7y1RGMLt_=cDyiXxVhQX78_6VdHG3qwzdcwt8n7vw@mail.gmail.com>
Date: Mon, 25 Jun 2018 16:13:31 -0700
From: Kees Cook <keescook@...omium.org>
To: Eric Biggers <ebiggers3@...il.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
Giovanni Cabiddu <giovanni.cabiddu@...el.com>,
Arnd Bergmann <arnd@...db.de>,
Eric Biggers <ebiggers@...gle.com>,
Mike Snitzer <snitzer@...hat.com>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
qat-linux@...el.com, LKML <linux-kernel@...r.kernel.org>,
dm-devel@...hat.com, linux-crypto <linux-crypto@...r.kernel.org>,
Lars Persson <larper@...s.com>,
Tim Chen <tim.c.chen@...ux.intel.com>,
"David S. Miller" <davem@...emloft.net>,
Alasdair Kergon <agk@...hat.com>,
Rabin Vincent <rabinv@...s.com>
Subject: Re: [dm-devel] [PATCH v2 10/11] crypto: ahash: Remove VLA usage for AHASH_REQUEST_ON_STACK
On Mon, Jun 25, 2018 at 3:56 PM, Eric Biggers <ebiggers3@...il.com> wrote:
> On Mon, Jun 25, 2018 at 02:10:25PM -0700, Kees Cook wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this caps
>> the ahash request size similar to the other limits and adds a sanity
>> check at registration. Unfortunately, these reqsizes can be huge. Looking
>> at all callers of crypto_ahash_set_reqsize(), the largest appears to be
>> 664 bytes, based on a combination of manual inspection and pahole output:
>>
>> 4 dcp_sha_req_ctx
>> 40 crypto4xx_ctx
>> 52 hash_req_ctx
>> 80 ahash_request
>> 88 rk_ahash_rctx
>> 104 sun4i_req_ctx
>> 200 mcryptd_hash_request_ctx
>> 216 safexcel_ahash_req
>> 228 sha1_hash_ctx
>> 228 sha256_hash_ctx
>> 248 img_hash_request_ctx
>> 252 mtk_sha_reqctx
>> 276 sahara_sha_reqctx
>> 304 mv_cesa_ahash_req
>> 316 iproc_reqctx_s
>> 320 caam_hash_state
>> 320 qce_sha_reqctx
>> 356 sha512_hash_ctx
>> 384 ahash_req_ctx
>> 400 chcr_ahash_req_ctx
>> 416 stm32_hash_request_ctx
>> 432 talitos_ahash_req_ctx
>> 462 atmel_sha_reqctx
>> 496 ccp_aes_cmac_req_ctx
>> 616 ccp_sha_req_ctx
>> 664 artpec6_hash_request_context
>>
>> So, this chooses 720 as a larger "round" number for the max.
>>
>
> This isn't accounting for the cases where a hash algorithm is "wrapped" with
> another one, which increases the request size. For example, "sha512_mb" ends up
> with a request size of
>
> sizeof(struct ahash_request) +
> sizeof(struct mcryptd_hash_request_ctx) +
> sizeof(struct ahash_request) +
> sizeof(struct sha512_hash_ctx)
>
> == 808 bytes, on x86_64 with CONFIG_DEBUG_SG enabled.
>
> (Note also that structure sizes can vary depending on the architecture
> and the kernel config.)
>
> So, with the self-tests enabled your new BUG_ON() is hit on boot:
Ugh, right. Wow, that _really_ gets big. Which are likely to wrap
which others? Looks like software case plus hardware case? i.e.
mcryptd_hash_request_ctx with artpec6_hash_request_context is the
largest we could get? So: 80 + 80 + 200 + 664 ? Oh, hilarious. That
comes exactly to 1024. :P
So ... 1024?
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists