| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180824160255.rg7lgt2tcbwjc5xn@mmilisic-mbp.dhcp.thefacebook.com>
Date: Fri, 24 Aug 2018 09:02:55 -0700
From: Dave Watson <davejwatson@...com>
To: Herbert Xu <herbert@...dor.apana.org.au>
CC: Mikulas Patocka <mpatocka@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
<linux-crypto@...r.kernel.org>, Mike Snitzer <msnitzer@...hat.com>,
<dm-devel@...hat.com>, <linux-kernel@...r.kernel.org>
Subject: Re: Deadlock when using crypto API for block devices
On 08/24/18 09:22 PM, Herbert Xu wrote:
> > > BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a
> > > pretty complex condition. Do you mean that this condition is part of the
> > > contract that the crypto API provides?
> >
> > This is an implementation defect. I think for this case we should
> > fall back to software GCM if the accelerated version fails.
> >
> > > Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" instead?
> > > Because if the data ends up at page boundary, it will use the atomic
> > > allocation that can fail.
> >
> > This condition does look strange. It's introduced by the commit
> > e845520707f85c539ce04bb73c6070e9441480be. Dave, what exactly is
> > it meant to do?
The aesni routines still require linear AAD data, the condition checks
that the AAD data is linear, and if not, kmallocs and copies it to a
linear buffer.
Yes, the condition looks like it could be <= PAGE_SIZE, similar to the
one in gcmaes_encrypt.
Yes, we should fall back to software gcm if kmalloc fails, although
AAD data is usually small, and it is probably worth having a small
stack buffer before attempting to kmalloc.
Powered by blists - more mailing lists