All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers3@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
	Arnd Bergmann <arnd@arndb.de>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	Mike Snitzer <snitzer@redhat.com>,
	Eric Biggers <ebiggers@google.com>,
	qat-linux@intel.com, LKML <linux-kernel@vger.kernel.org>,
	dm-devel@redhat.com, linux-crypto <linux-crypto@vger.kernel.org>,
	Lars Persson <larper@axis.com>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Alasdair Kergon <agk@redhat.com>, Rabin Vincent <rabinv@axis.com>
Subject: Re: [dm-devel] [PATCH v5 05/11] crypto: ahash: Remove VLA usage
Date: Tue, 17 Jul 2018 16:12:09 -0700	[thread overview]
Message-ID: <20180717231209.GJ75957@gmail.com> (raw)
In-Reply-To: <CAGXu5jKKD4hzeFEdvY5QdahEr4POd9ZM_B_5Z_iU-Qmx3AYSfQ@mail.gmail.com>

On Tue, Jul 17, 2018 at 01:07:50PM -0700, Kees Cook wrote:
> On Tue, Jul 17, 2018 at 9:39 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > On Mon, Jul 16, 2018 at 09:21:44PM -0700, Kees Cook wrote:
> >> In the quest to remove all stack VLA usage from the kernel[1], this
> >> introduces max size macros for ahash, as already done for shash, and
> >> adjust the crypto user to max state size.
> >>
> >> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
> >>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> ---
> >>  crypto/ahash.c        | 4 ++--
> >>  crypto/algif_hash.c   | 2 +-
> >>  include/crypto/hash.h | 3 +++
> >>  3 files changed, 6 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/crypto/ahash.c b/crypto/ahash.c
> >> index a64c143165b1..6435bdbe42fd 100644
> >> --- a/crypto/ahash.c
> >> +++ b/crypto/ahash.c
> >> @@ -550,8 +550,8 @@ static int ahash_prepare_alg(struct ahash_alg *alg)
> >>  {
> >>       struct crypto_alg *base = &alg->halg.base;
> >>
> >> -     if (alg->halg.digestsize > PAGE_SIZE / 8 ||
> >> -         alg->halg.statesize > PAGE_SIZE / 8 ||
> >> +     if (alg->halg.digestsize > AHASH_MAX_DIGESTSIZE ||
> >> +         alg->halg.statesize > AHASH_MAX_STATESIZE ||
> >>           alg->halg.statesize == 0)
> >>               return -EINVAL;
> >>
> >> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
> >> index bfcf595fd8f9..8974ee8ebead 100644
> >> --- a/crypto/algif_hash.c
> >> +++ b/crypto/algif_hash.c
> >> @@ -239,7 +239,7 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags,
> >>       struct alg_sock *ask = alg_sk(sk);
> >>       struct hash_ctx *ctx = ask->private;
> >>       struct ahash_request *req = &ctx->req;
> >> -     char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req)) ? : 1];
> >> +     char state[AHASH_MAX_STATESIZE];
> >>       struct sock *sk2;
> >>       struct alg_sock *ask2;
> >>       struct hash_ctx *ctx2;
> >> diff --git a/include/crypto/hash.h b/include/crypto/hash.h
> >> index ae14cc0e0cdb..4fcd0e2368cd 100644
> >> --- a/include/crypto/hash.h
> >> +++ b/include/crypto/hash.h
> >> @@ -64,6 +64,9 @@ struct ahash_request {
> >>       void *__ctx[] CRYPTO_MINALIGN_ATTR;
> >>  };
> >>
> >> +#define AHASH_MAX_DIGESTSIZE 512
> >> +#define AHASH_MAX_STATESIZE  512
> >> +
> >
> > Why is AHASH_MAX_DIGESTSIZE (512) so much larger than SHASH_MAX_DIGESTSIZE (64)?
> > I would have expected them to be the same.
> 
> This was a direct replacement of the PAGE_SIZE / 8 original limit.
> This this didn't trip any frame size warnings, it seemed like we
> didn't need to do the more narrow limitations done elsewhere.
> 
> I am, of course, happy to do a manual review and find a lower
> alternative if that's desired.
> 

I just don't see why ahash algorithms would need such a huge maximum digest
size.  Don't the 'ahash' algorithms all have 'shash' equivalents too?  Is there
actually any hash algorithm, either shash or ahash, in the Linux kernel that has
a digest size greater than 64 bytes (512 bits)?  Note that for a real
cryptographic hash there isn't really any need for a digest size larger than
that, since that already gives you 256-bit collision resistance; that's why
SHA-2 and SHA-3 max out at that size.

- Eric

  reply	other threads:[~2018-07-17 23:12 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-17  4:21 [PATCH v5 00/11] crypto: Remove VLA usage Kees Cook
2018-07-17  4:21 ` Kees Cook
2018-07-17  4:21 ` [PATCH v5 01/11] crypto: xcbc: " Kees Cook
2018-07-17  6:35   ` Herbert Xu
2018-07-17  4:21 ` [PATCH v5 02/11] crypto: cbc: " Kees Cook
2018-07-17  4:21 ` [PATCH v5 03/11] crypto: shash: " Kees Cook
2018-07-17  4:21 ` [PATCH v5 04/11] dm integrity: " Kees Cook
2018-07-17  4:21   ` Kees Cook
2018-07-17  4:21 ` [PATCH v5 05/11] crypto: ahash: " Kees Cook
2018-07-17  4:21   ` Kees Cook
2018-07-17 16:39   ` [dm-devel] " Eric Biggers
2018-07-17 20:07     ` Kees Cook
2018-07-17 23:12       ` Eric Biggers [this message]
2018-07-19  3:14         ` Kees Cook
2018-07-17  4:21 ` [PATCH v5 06/11] dm verity fec: " Kees Cook
2018-07-17  4:21 ` [PATCH v5 07/11] crypto alg: Introduce generic max blocksize and alignmask Kees Cook
2018-07-17  4:21   ` Kees Cook
2018-07-17  4:21 ` [PATCH v5 08/11] crypto: qat: Remove VLA usage Kees Cook
2018-07-17  4:21 ` [PATCH v5 09/11] crypto: shash: Remove VLA usage in unaligned hashing Kees Cook
2018-07-17  4:21 ` [PATCH v5 10/11] crypto: ahash: Remove VLA usage for AHASH_REQUEST_ON_STACK Kees Cook
2018-07-17 16:43   ` [dm-devel] " Eric Biggers
2018-07-17 20:11     ` Kees Cook
2018-07-17  4:21 ` [PATCH v5 11/11] crypto: skcipher: Remove VLA usage for SKCIPHER_REQUEST_ON_STACK Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180717231209.GJ75957@gmail.com \
    --to=ebiggers3@gmail.com \
    --cc=agk@redhat.com \
    --cc=arnd@arndb.de \
    --cc=dm-devel@redhat.com \
    --cc=ebiggers@google.com \
    --cc=giovanni.cabiddu@intel.com \
    --cc=gustavo@embeddedor.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=keescook@chromium.org \
    --cc=larper@axis.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=qat-linux@intel.com \
    --cc=rabinv@axis.com \
    --cc=snitzer@redhat.com \
    --cc=tim.c.chen@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.