lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK8P3a0_7ocqJZHA5Zbkd4yvhQnczKJxiSrBjOUDCmzO4gAb2Q@mail.gmail.com>
Date:   Tue, 18 Jun 2019 20:06:46 +0200
From:   Arnd Bergmann <arnd@...db.de>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        Stefan Berger <stefanb@...ux.vnet.ibm.com>,
        linux-integrity@...r.kernel.org,
        LSM List <linux-security-module@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ima: dynamically allocate shash_desc

On Tue, Jun 18, 2019 at 3:55 PM Mimi Zohar <zohar@...ux.ibm.com> wrote:
>
> On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> > On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> > >
> > > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > > building with clang.
> > > > >
> > > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > > Wframe-larger-than=]
> > > >
> > > > I'm definitely not seeing this.  Is this problem a result of non
> > > > upstreamed patches?  For sha1, currently the only possible hash
> > > > algorithm, I'm seeing 664.
> >
> > You won't see it with gcc, only with clang in some randconfig builds,
> > I suppose only when KASAN is enabled.
> >
> > > Every time a measurement is added to the measurement list, the memory
> > > would be allocated/freed.  The frequency of new measurements is policy
> > > dependent.  For performance reasons, I'd prefer if the allocation
> > > remains on the stack.
> >
> > Is there a way to preallocate the shash_desc instead? That would
> > avoid the overhead.
>
> There are 3 other SHASH_DESC_ON_STACK definitions in just
> ima_crypto.c, with a total of ~55 other places in the kernel.  Before
> fixing this particular function, I'd like to know if the "excessive
> stack usage" warning is limited to ima_calc_field_array_hash_tfm().
>  If so, what is so special about its usage of SHASH_DESC_ON_STACK?

SHASH_DESC_ON_STACK() uses at least 512 bytes of stack
everywhere, which is half of the warning limit for a function on
32 bit kernels.

With KASAN, a small redzone is put around it so we can detect out
of bounds access to a variable that is passed by reference.
clang makes that buffer larger than gcc, so we end up with something
like 768 bytes for each instance of SHASH_DESC_ON_STACK().

Most other users still stay below the 1024 byte warning level though,
because typical functions only use a few bytes of stack space.
In case of ima_calc_field_array_hash_tfm(), the is also the buffer[]
array of 255 bytes that gets another large redzone.

I fixed up all the (randconfig) warnings I get for arm32, arm64 and
x86 kernels, and I think there were four to five that were because of
SHASH_DESC_ON_STACK(). It might make sense to convert all
three instances in ima to preallocate the descriptor if we do it for
one of them, even when it's not actually needed.

     Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ