[PATCH 0/2] xfrm/crypto: unaligned access fixes

[PATCH 0/2] xfrm/crypto: unaligned access fixes

[Sowmini Varadhan]

A two-part patchset that fixes some "unaligned access" warnings
that showed up my sparc test machines with ipsec set up.


Sowmini Varadhan (2):
  crypto/x509: Fix unaligned access in x509_get_sig_params()
  Fix unaligned access in xfrm_notify_sa() for DELSA

 crypto/asymmetric_keys/x509_public_key.c |    5 +++--
 net/xfrm/xfrm_user.c                     |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

[PATCH 1/2] crypto/x509: Fix unaligned access in x509_get_sig_params()

[Sowmini Varadhan]

x509_get_sig_params() has the same code pattern as the one in
pkcs7_verify() that is fixed by commit 62f57d05e287 ("crypto: pkcs7 - Fix
unaligned access in pkcs7_verify()") so apply a similar fix here: make
sure that desc is pointing at an algined value past the digest_size,
and take alignment values into consideration when doing kzalloc()

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
 crypto/asymmetric_keys/x509_public_key.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 1970966..68c3c40 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -194,14 +194,15 @@ int x509_get_sig_params(struct x509_certificate *cert)
 	 * digest storage space.
 	 */
 	ret = -ENOMEM;
-	digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+	digest = kzalloc(ALIGN(digest_size, __alignof__(*desc)) + desc_size,
+			 GFP_KERNEL);
 	if (!digest)
 		goto error;
 
 	cert->sig.digest = digest;
 	cert->sig.digest_size = digest_size;
 
-	desc = digest + digest_size;
+	desc = PTR_ALIGN(digest + digest_size, __alignof__(*desc));
 	desc->tfm = tfm;
 	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
 
-- 
1.7.1

[PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[Sowmini Varadhan]

On sparc, deleting established SAs (e.g., by restarting ipsec
at the peer) results in unaligned access messages via
xfrm_del_sa -> km_state_notify -> xfrm_send_state_notify().
Use an aligned pointer to xfrm_usersa_info for this case.

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
 net/xfrm/xfrm_user.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a8de9e3..158ef4a 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2659,7 +2659,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
 		if (attr == NULL)
 			goto out_free_skb;
 
-		p = nla_data(attr);
+		p = PTR_ALIGN(nla_data(attr), __alignof__(*p));
 	}
 	err = copy_to_user_state_extra(x, p, skb);
 	if (err)
-- 
1.7.1

Re: [PATCH 1/2] crypto/x509: Fix unaligned access in x509_get_sig_params()

[David Howells]

Sowmini Varadhan <sowmini.varadhan@oracle.com> wrote:

> x509_get_sig_params() has the same code pattern as the one in
> pkcs7_verify() that is fixed by commit 62f57d05e287 ("crypto: pkcs7 - Fix
> unaligned access in pkcs7_verify()") so apply a similar fix here: make
> sure that desc is pointing at an algined value past the digest_size,
> and take alignment values into consideration when doing kzalloc()
> 
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>

Acked-by: David Howells <dhowells@redhat.com>

Re: [PATCH 1/2] crypto/x509: Fix unaligned access in x509_get_sig_params()

[Herbert Xu]

On Mon, Oct 19, 2015 at 05:23:28PM -0400, Sowmini Varadhan wrote:
> x509_get_sig_params() has the same code pattern as the one in
> pkcs7_verify() that is fixed by commit 62f57d05e287 ("crypto: pkcs7 - Fix
> unaligned access in pkcs7_verify()") so apply a similar fix here: make
> sure that desc is pointing at an algined value past the digest_size,
> and take alignment values into consideration when doing kzalloc()
> 
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[Steffen Klassert]

On Mon, Oct 19, 2015 at 05:23:29PM -0400, Sowmini Varadhan wrote:
> On sparc, deleting established SAs (e.g., by restarting ipsec
> at the peer) results in unaligned access messages via
> xfrm_del_sa -> km_state_notify -> xfrm_send_state_notify().
> Use an aligned pointer to xfrm_usersa_info for this case.
> 
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
> ---
>  net/xfrm/xfrm_user.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index a8de9e3..158ef4a 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -2659,7 +2659,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
>  		if (attr == NULL)
>  			goto out_free_skb;
>  
> -		p = nla_data(attr);
> +		p = PTR_ALIGN(nla_data(attr), __alignof__(*p));

Hm, this breaks userspace notifications on 64-bit systems.
Userspace expects this to be aligned to 4, with your patch
it is aligned to 8 on 64-bit.

Without your patch I get the correct notification when deleting a SA:

ip x m

Deleted src 172.16.0.2 dst 172.16.0.1
        proto esp spi 0x00000002 reqid 2 mode tunnel
        replay-window 32
        auth-trunc hmac(sha1) 0x31323334353637383930 96
        enc cbc(aes) 0x31323334353637383930313233343536
        sel src 10.0.0.0/24 dst 192.168.0.0/24

With your patch I get for the same SA:

ip x m

Deleted src 50.0.0.0 dst 0.0.0.0
        proto 0 reqid 0 mode transport
        replay-window 0 flag decap-dscp
        auth-trunc hmac(sha1) 0x31323334353637383930 96
        enc cbc(aes) 0x31323334353637383930313233343536
        sel src 0.0.0.0/0 dst 0.234.255.255/0 proto igmp

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[Sowmini Varadhan]

On (10/21/15 08:57), Steffen Klassert wrote:
> > --- a/net/xfrm/xfrm_user.c
> > +++ b/net/xfrm/xfrm_user.c
> > @@ -2659,7 +2659,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
> >  		if (attr == NULL)
> >  			goto out_free_skb;
> >  
> > -		p = nla_data(attr);
> > +		p = PTR_ALIGN(nla_data(attr), __alignof__(*p));
> 
> Hm, this breaks userspace notifications on 64-bit systems.
> Userspace expects this to be aligned to 4, with your patch
> it is aligned to 8 on 64-bit.
> 
> Without your patch I get the correct notification when deleting a SA:
> 

But __alignof__(*p) is 8 on sparc, and without the patch I get
all types of unaligned access. So what do you suggest as the fix?

(and openswan/pluto dont flag any errors with the patch, which is
a separate bug).

--Sowmini

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[Sowmini Varadhan]

On (10/21/15 06:54), Sowmini Varadhan wrote:
> But __alignof__(*p) is 8 on sparc, and without the patch I get
> all types of unaligned access. So what do you suggest as the fix?

Even though the alignment is, in fact, 8 (and that comes from
struct xfrm_lifetime_cfg), if uspace is firmly attached to the 4 byte
alignment, I think we can retain that behavior and still avoid
unaligned access in the kernel with the following (admittedly ugly hack).
Can you please take a look? I tested it with 'ip x m' and a transport 
mode tunnel on my sparc.


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 158ef4a..ca4e7f0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2620,7 +2620,7 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
-       struct xfrm_usersa_info *p;
+       struct xfrm_usersa_info *p, tmp;
        struct xfrm_usersa_id *id;
        struct nlmsghdr *nlh;
        struct sk_buff *skb;
@@ -2659,11 +2659,16 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
                if (attr == NULL)
                        goto out_free_skb;
 
-               p = PTR_ALIGN(nla_data(attr), __alignof__(*p));
+               p = nla_data(attr);
+               err = copy_to_user_state_extra(x, &tmp, skb);
+               if (err)
+                       goto out_free_skb;
+               memcpy((u8 *)p, &tmp, sizeof(tmp));
+       } else {
+               err = copy_to_user_state_extra(x, p, skb);
+               if (err)
+                       goto out_free_skb;
        }
-       err = copy_to_user_state_extra(x, p, skb);
-       if (err)
-               goto out_free_skb;
 
        nlmsg_end(skb, nlh);

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[David Miller]

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 21 Oct 2015 08:57:04 +0200

> On Mon, Oct 19, 2015 at 05:23:29PM -0400, Sowmini Varadhan wrote:
>> On sparc, deleting established SAs (e.g., by restarting ipsec
>> at the peer) results in unaligned access messages via
>> xfrm_del_sa -> km_state_notify -> xfrm_send_state_notify().
>> Use an aligned pointer to xfrm_usersa_info for this case.
>> 
>> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
>> ---
>>  net/xfrm/xfrm_user.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>> 
>> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
>> index a8de9e3..158ef4a 100644
>> --- a/net/xfrm/xfrm_user.c
>> +++ b/net/xfrm/xfrm_user.c
>> @@ -2659,7 +2659,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
>>  		if (attr == NULL)
>>  			goto out_free_skb;
>>  
>> -		p = nla_data(attr);
>> +		p = PTR_ALIGN(nla_data(attr), __alignof__(*p));
> 
> Hm, this breaks userspace notifications on 64-bit systems.
> Userspace expects this to be aligned to 4, with your patch
> it is aligned to 8 on 64-bit.

That's correct, netlink attributes are fundamentally only 4 byte
aligned and this cannot be changed.  nla_data() is exactly
where the attribute must be placed, aligned or not.

The only workaround is, when designing netlink attributes.  Various
netlink libraries have workarounds for accessing, for example, 64-bit
stats which are going to be unaligned in netlink messages.

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[Sowmini Varadhan]

On (10/21/15 06:22), David Miller wrote:
> memcpy() _never_ works for avoiding unaligned accessed.
> 
> I repeat, no matter what you do, no matter what kinds of casts or
> fancy typing you use, memcpy() _never_ works for this purpose.
  :
> There is one and only one portable way to access unaligned data,
> and that is with the get_unaligned() and put_unaligned() helpers.

ok. I'll fix it up to use the *_unaligned functions and resend this 
out later today.

--Sowmini

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[David Miller]

From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Wed, 21 Oct 2015 06:54:42 -0400

> On (10/21/15 08:57), Steffen Klassert wrote:
>> > --- a/net/xfrm/xfrm_user.c
>> > +++ b/net/xfrm/xfrm_user.c
>> > @@ -2659,7 +2659,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
>> >  		if (attr == NULL)
>> >  			goto out_free_skb;
>> >  
>> > -		p = nla_data(attr);
>> > +		p = PTR_ALIGN(nla_data(attr), __alignof__(*p));
>> 
>> Hm, this breaks userspace notifications on 64-bit systems.
>> Userspace expects this to be aligned to 4, with your patch
>> it is aligned to 8 on 64-bit.
>> 
>> Without your patch I get the correct notification when deleting a SA:
>> 
> 
> But __alignof__(*p) is 8 on sparc, and without the patch I get
> all types of unaligned access. So what do you suggest as the fix?

The accesses have to be done using something like get_unaligned() and
put_unaligned().

Sorry, but the protocol is set in stone and this is unfortunately how
it is.

Re: [PATCH net-next 2/2] xfrm: Fix unaligned access in xfrm_notify_sa() for DELSA

[David Miller]

From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Wed, 21 Oct 2015 08:36:28 -0400

> +               memcpy((u8 *)p, &tmp, sizeof(tmp));

memcpy() _never_ works for avoiding unaligned accessed.

I repeat, no matter what you do, no matter what kinds of casts or
fancy typing you use, memcpy() _never_ works for this purpose.

The compiler knows that the pointer you are using is supposed to be at
least 8 byte aligned, it can look through the cast and that's
completely legitimate for it to do.

So it can legitimately inline emit loads and stores to implement the
memcpy() and those will still get the unaligned accesses.

There is one and only one portable way to access unaligned data,
and that is with the get_unaligned() and put_unaligned() helpers.

Userland must do something similar to deal with this situation
as well.