[RFC PATCH] crypto: add buffer overflow checks to testmgr

[RFC PATCH] crypto: add buffer overflow checks to testmgr

[Jarod Wilson]

At present, its entirely possible to add a test vector to testmgr with
an input longer than a page in length w/o specifying a .np option, and
overflow the page of memory allocated to {a,}xbuf[0], silently
corrupting memory. I know, because I've accidentally done it. :)

While this doesn't currently happen in practice w/the existing code,
due to all !np vectors being less than a 4k page in length (and the
page allocation loop often returns contiguous pages anyway), explicit
checks or a way to remove the 4k limit would be a good idea.

A few ways to fix and/or work around this:

1) allocate some larger guaranteed contiguous buffers using
__get_free_pages() or kmalloc and use them in the !np case

2) catch the > PAGE_SIZE && !np case and then do things similar to how
they are done in the np case

3) catch the > PAGE_SIZE && !np case and simply exit with an error

Since there currently aren't any test vectors that are actually larger
than a page and not tagged np, option 1 seems like a waste of memory
and option 2 sounds like unnecessary complexity, so I'd offer up
option 3 as the most viable alternative right now.

Signed-off-by: Jarod Wilson <jarod@redhat.com>

---
 crypto/testmgr.c |   34 ++++++++++++++++++++++++++++++++++
 1 files changed, 34 insertions(+), 0 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 376ea88..9483a2b 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -185,6 +185,13 @@ static int test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
 
 		hash_buff = xbuf[0];
 
+		if (template[i].psize > PAGE_SIZE) {
+			printk(KERN_ERR "alg: hash: psize %u larger than "
+			       "contiguous buffer space\n", template[i].psize);
+			ret = -EOVERFLOW;
+			goto out;
+		}
+
 		memcpy(hash_buff, template[i].plaintext, template[i].psize);
 		sg_init_one(&sg[0], hash_buff, template[i].psize);
 
@@ -357,6 +364,16 @@ static int test_aead(struct crypto_aead *tfm, int enc,
 			input = xbuf[0];
 			assoc = axbuf[0];
 
+			if (template[i].ilen > PAGE_SIZE ||
+			    template[i].alen > PAGE_SIZE) {
+				printk(KERN_ERR "alg: aead: input larger than "
+				       "contiguous buffer space (ilen: %u, "
+				       "alen: %u)\n",
+				       template[i].ilen, template[i].alen);
+				ret = -EOVERFLOW;
+				goto out;
+			}
+
 			memcpy(input, template[i].input, template[i].ilen);
 			memcpy(assoc, template[i].assoc, template[i].alen);
 			if (template[i].iv)
@@ -651,6 +668,14 @@ static int test_cipher(struct crypto_cipher *tfm, int enc,
 		j++;
 
 		data = xbuf[0];
+
+		if (template[i].ilen > PAGE_SIZE) {
+			printk(KERN_ERR "alg: cipher: ilen %u larger than "
+			       "contiguous buffer space\n", template[i].ilen);
+			ret = -EOVERFLOW;
+			goto out;
+		}
+
 		memcpy(data, template[i].input, template[i].ilen);
 
 		crypto_cipher_clear_flags(tfm, ~0);
@@ -742,6 +767,15 @@ static int test_skcipher(struct crypto_ablkcipher *tfm, int enc,
 			j++;
 
 			data = xbuf[0];
+
+			if (template[i].ilen > PAGE_SIZE) {
+				printk(KERN_ERR "alg: skcipher: ilen %u larger "
+				       "than contiguous buffer space\n",
+				       template[i].ilen);
+				ret = -EOVERFLOW;
+				goto out;
+			}
+
 			memcpy(data, template[i].input, template[i].ilen);
 
 			crypto_ablkcipher_clear_flags(tfm, ~0);

-- 
Jarod Wilson
jarod@redhat.com

Re: [RFC PATCH] crypto: add buffer overflow checks to testmgr

[Neil Horman]

On Fri, May 29, 2009 at 11:32:54AM -0400, Jarod Wilson wrote:
> At present, its entirely possible to add a test vector to testmgr with
> an input longer than a page in length w/o specifying a .np option, and
> overflow the page of memory allocated to {a,}xbuf[0], silently
> corrupting memory. I know, because I've accidentally done it. :)
> 
> While this doesn't currently happen in practice w/the existing code,
> due to all !np vectors being less than a 4k page in length (and the
> page allocation loop often returns contiguous pages anyway), explicit
> checks or a way to remove the 4k limit would be a good idea.
> 
> A few ways to fix and/or work around this:
> 
> 1) allocate some larger guaranteed contiguous buffers using
> __get_free_pages() or kmalloc and use them in the !np case
> 
> 2) catch the > PAGE_SIZE && !np case and then do things similar to how
> they are done in the np case
> 
> 3) catch the > PAGE_SIZE && !np case and simply exit with an error
> 
> Since there currently aren't any test vectors that are actually larger
> than a page and not tagged np, option 1 seems like a waste of memory
> and option 2 sounds like unnecessary complexity, so I'd offer up
> option 3 as the most viable alternative right now.
> 
> Signed-off-by: Jarod Wilson <jarod@redhat.com>
> 

Given the rate at which test vectors are added to the testmgr, and the
likelyhood one will be over a page in size, I think this is probably the best
way forward.  Its saves memory/complexity until for now, and catches anyone
trying to exceed the current 1 page size, at which point we can spend the time
to modify the testmanager to make use of scatter/gather chains to handle the
longer vectors.

Neil

Acked-by: Neil Horman <nhorman@tuxdriver.com>

> ---
>  crypto/testmgr.c |   34 ++++++++++++++++++++++++++++++++++
>  1 files changed, 34 insertions(+), 0 deletions(-)
> 
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index 376ea88..9483a2b 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -185,6 +185,13 @@ static int test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
>  
>  		hash_buff = xbuf[0];
>  
> +		if (template[i].psize > PAGE_SIZE) {
> +			printk(KERN_ERR "alg: hash: psize %u larger than "
> +			       "contiguous buffer space\n", template[i].psize);
> +			ret = -EOVERFLOW;
> +			goto out;
> +		}
> +
>  		memcpy(hash_buff, template[i].plaintext, template[i].psize);
>  		sg_init_one(&sg[0], hash_buff, template[i].psize);
>  
> @@ -357,6 +364,16 @@ static int test_aead(struct crypto_aead *tfm, int enc,
>  			input = xbuf[0];
>  			assoc = axbuf[0];
>  
> +			if (template[i].ilen > PAGE_SIZE ||
> +			    template[i].alen > PAGE_SIZE) {
> +				printk(KERN_ERR "alg: aead: input larger than "
> +				       "contiguous buffer space (ilen: %u, "
> +				       "alen: %u)\n",
> +				       template[i].ilen, template[i].alen);
> +				ret = -EOVERFLOW;
> +				goto out;
> +			}
> +
>  			memcpy(input, template[i].input, template[i].ilen);
>  			memcpy(assoc, template[i].assoc, template[i].alen);
>  			if (template[i].iv)
> @@ -651,6 +668,14 @@ static int test_cipher(struct crypto_cipher *tfm, int enc,
>  		j++;
>  
>  		data = xbuf[0];
> +
> +		if (template[i].ilen > PAGE_SIZE) {
> +			printk(KERN_ERR "alg: cipher: ilen %u larger than "
> +			       "contiguous buffer space\n", template[i].ilen);
> +			ret = -EOVERFLOW;
> +			goto out;
> +		}
> +
>  		memcpy(data, template[i].input, template[i].ilen);
>  
>  		crypto_cipher_clear_flags(tfm, ~0);
> @@ -742,6 +767,15 @@ static int test_skcipher(struct crypto_ablkcipher *tfm, int enc,
>  			j++;
>  
>  			data = xbuf[0];
> +
> +			if (template[i].ilen > PAGE_SIZE) {
> +				printk(KERN_ERR "alg: skcipher: ilen %u larger "
> +				       "than contiguous buffer space\n",
> +				       template[i].ilen);
> +				ret = -EOVERFLOW;
> +				goto out;
> +			}
> +
>  			memcpy(data, template[i].input, template[i].ilen);
>  
>  			crypto_ablkcipher_clear_flags(tfm, ~0);
> 
> -- 
> Jarod Wilson
> jarod@redhat.com
> 

Re: [RFC PATCH] crypto: add buffer overflow checks to testmgr

[Herbert Xu]

On Fri, May 29, 2009 at 11:32:54AM -0400, Jarod Wilson wrote:
> At present, its entirely possible to add a test vector to testmgr with
> an input longer than a page in length w/o specifying a .np option, and
> overflow the page of memory allocated to {a,}xbuf[0], silently
> corrupting memory. I know, because I've accidentally done it. :)
> 
> While this doesn't currently happen in practice w/the existing code,
> due to all !np vectors being less than a 4k page in length (and the
> page allocation loop often returns contiguous pages anyway), explicit
> checks or a way to remove the 4k limit would be a good idea.
> 
> A few ways to fix and/or work around this:
> 
> 1) allocate some larger guaranteed contiguous buffers using
> __get_free_pages() or kmalloc and use them in the !np case
> 
> 2) catch the > PAGE_SIZE && !np case and then do things similar to how
> they are done in the np case
> 
> 3) catch the > PAGE_SIZE && !np case and simply exit with an error
> 
> Since there currently aren't any test vectors that are actually larger
> than a page and not tagged np, option 1 seems like a waste of memory
> and option 2 sounds like unnecessary complexity, so I'd offer up
> option 3 as the most viable alternative right now.
> 
> Signed-off-by: Jarod Wilson <jarod@redhat.com>

I just posted exactly the same thing yesterday :)
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [RFC PATCH] crypto: add buffer overflow checks to testmgr

[Jarod Wilson]

On 05/29/2009 06:10 PM, Herbert Xu wrote:
> On Fri, May 29, 2009 at 11:32:54AM -0400, Jarod Wilson wrote:
>> At present, its entirely possible to add a test vector to testmgr with
>> an input longer than a page in length w/o specifying a .np option, and
>> overflow the page of memory allocated to {a,}xbuf[0], silently
>> corrupting memory. I know, because I've accidentally done it. :)
>>
>> While this doesn't currently happen in practice w/the existing code,
>> due to all !np vectors being less than a 4k page in length (and the
>> page allocation loop often returns contiguous pages anyway), explicit
>> checks or a way to remove the 4k limit would be a good idea.
>>
>> A few ways to fix and/or work around this:
>>
>> 1) allocate some larger guaranteed contiguous buffers using
>> __get_free_pages() or kmalloc and use them in the !np case
>>
>> 2) catch the > PAGE_SIZE && !np case and then do things similar to how
>> they are done in the np case
>>
>> 3) catch the > PAGE_SIZE && !np case and simply exit with an error
>>
>> Since there currently aren't any test vectors that are actually larger
>> than a page and not tagged np, option 1 seems like a waste of memory
>> and option 2 sounds like unnecessary complexity, so I'd offer up
>> option 3 as the most viable alternative right now.
>>
>> Signed-off-by: Jarod Wilson <jarod@redhat.com>
> 
> I just posted exactly the same thing yesterday :)

Oh, haha, serves me right for not looking first... Your variant seems to
be a bit more complete too, as I didn't look at any of the possible cases
where there might be overflows when using scatterlists. Cool, worksforme!

Thanks much,

-- 
Jarod Wilson
jarod@redhat.com

Re: [RFC PATCH] crypto: add buffer overflow checks to testmgr

[Jarod Wilson]

On Friday 29 May 2009 18:10:55 Herbert Xu wrote:
> On Fri, May 29, 2009 at 11:32:54AM -0400, Jarod Wilson wrote:
> > At present, its entirely possible to add a test vector to testmgr with
> > an input longer than a page in length w/o specifying a .np option, and
> > overflow the page of memory allocated to {a,}xbuf[0], silently
> > corrupting memory. I know, because I've accidentally done it. :)
> > 
> > While this doesn't currently happen in practice w/the existing code,
> > due to all !np vectors being less than a 4k page in length (and the
> > page allocation loop often returns contiguous pages anyway), explicit
> > checks or a way to remove the 4k limit would be a good idea.
> > 
> > A few ways to fix and/or work around this:
> > 
> > 1) allocate some larger guaranteed contiguous buffers using
> > __get_free_pages() or kmalloc and use them in the !np case
> > 
> > 2) catch the > PAGE_SIZE && !np case and then do things similar to how
> > they are done in the np case
> > 
> > 3) catch the > PAGE_SIZE && !np case and simply exit with an error
> > 
> > Since there currently aren't any test vectors that are actually larger
> > than a page and not tagged np, option 1 seems like a waste of memory
> > and option 2 sounds like unnecessary complexity, so I'd offer up
> > option 3 as the most viable alternative right now.
> > 
> > Signed-off-by: Jarod Wilson <jarod@redhat.com>
> 
> I just posted exactly the same thing yesterday :)

One note... This is actually causing some new compile warnings to be
spit out, varies from arch to arch, dependent on page size... ppc64
with 64k pages is the worst offender:

crypto/testmgr.c: In function 'test_nhash':
crypto/testmgr.c:194: warning: comparison is always false due to limited range of data type
crypto/testmgr.c: In function 'test_aead':
crypto/testmgr.c:374: warning: comparison is always false due to limited range of data type
crypto/testmgr.c:375: warning: comparison is always false due to limited range of data type
crypto/testmgr.c: In function 'test_cipher':
crypto/testmgr.c:676: warning: comparison is always false due to limited range of data type
crypto/testmgr.c: In function 'test_skcipher':
crypto/testmgr.c:771: warning: comparison is always false due to limited range of data type



-- 
Jarod Wilson
jarod@redhat.com

Re: [RFC PATCH] crypto: add buffer overflow checks to testmgr

[Herbert Xu]

On Thu, Jun 04, 2009 at 05:59:36PM -0400, Jarod Wilson wrote:
> 
> One note... This is actually causing some new compile warnings to be
> spit out, varies from arch to arch, dependent on page size... ppc64
> with 64k pages is the worst offender:
> 
> crypto/testmgr.c: In function 'test_nhash':
> crypto/testmgr.c:194: warning: comparison is always false due to limited range of data type
> crypto/testmgr.c: In function 'test_aead':
> crypto/testmgr.c:374: warning: comparison is always false due to limited range of data type
> crypto/testmgr.c:375: warning: comparison is always false due to limited range of data type
> crypto/testmgr.c: In function 'test_cipher':
> crypto/testmgr.c:676: warning: comparison is always false due to limited range of data type
> crypto/testmgr.c: In function 'test_skcipher':
> crypto/testmgr.c:771: warning: comparison is always false due to limited range of data type

Don't worry, this warning will go away as soon as you move to a
more up-to-date gcc :)

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt