From: Kees Cook <keescook@chromium.org> To: Herbert Xu <herbert@gondor.apana.org.au> Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com>, Arnd Bergmann <arnd@arndb.de>, Mike Snitzer <snitzer@redhat.com>, "Gustavo A. R. Silva" <gustavo@embeddedor.com>, Eric Biggers <ebiggers@google.com>, qat-linux@intel.com, linux-kernel@vger.kernel.org, dm-devel@redhat.com, linux-crypto@vger.kernel.org, Rabin Vincent <rabinv@axis.com>, Lars Persson <larper@axis.com>, Tim Chen <tim.c.chen@linux.intel.com>, "David S. Miller" <davem@davemloft.net>, Alasdair Kergon <agk@redhat.com>, Kees Cook <keescook@chromium.org> Subject: [PATCH v2 04/11] dm integrity: Remove VLA usage Date: Mon, 25 Jun 2018 14:10:19 -0700 [thread overview] Message-ID: <20180625211026.15819-5-keescook@chromium.org> (raw) In-Reply-To: <20180625211026.15819-1-keescook@chromium.org> In the quest to remove all stack VLA usage from the kernel[1], this uses the new SHASH_MAX_DIGESTSIZE from the crypto layer to allocate the upper bounds on stack usage. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Cc: Alasdair Kergon <agk@redhat.com> Cc: Mike Snitzer <snitzer@redhat.com> Cc: dm-devel@redhat.com Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/md/dm-integrity.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index 86438b2f10dd..85e8ce1625a2 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -521,7 +521,12 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result } memset(result + size, 0, JOURNAL_MAC_SIZE - size); } else { - __u8 digest[size]; + __u8 digest[SHASH_MAX_DIGESTSIZE]; + + if (WARN_ON(size > sizeof(digest))) { + dm_integrity_io_error(ic, "digest_size", -EINVAL); + goto err; + } r = crypto_shash_final(desc, digest); if (unlikely(r)) { dm_integrity_io_error(ic, "crypto_shash_final", r); @@ -1244,7 +1249,7 @@ static void integrity_metadata(struct work_struct *w) struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); char *checksums; unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0; - char checksums_onstack[ic->tag_size + extra_space]; + char checksums_onstack[SHASH_MAX_DIGESTSIZE]; unsigned sectors_to_process = dio->range.n_sectors; sector_t sector = dio->range.logical_sector; @@ -1253,8 +1258,14 @@ static void integrity_metadata(struct work_struct *w) checksums = kmalloc((PAGE_SIZE >> SECTOR_SHIFT >> ic->sb->log2_sectors_per_block) * ic->tag_size + extra_space, GFP_NOIO | __GFP_NORETRY | __GFP_NOWARN); - if (!checksums) + if (!checksums) { checksums = checksums_onstack; + if (WARN_ON(extra_space && + digest_size > sizeof(checksums_onstack))) { + r = -EINVAL; + goto error; + } + } __bio_for_each_segment(bv, bio, iter, dio->orig_bi_iter) { unsigned pos; @@ -1466,7 +1477,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio, } while (++s < ic->sectors_per_block); #ifdef INTERNAL_VERIFY if (ic->internal_hash) { - char checksums_onstack[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)]; + char checksums_onstack[max(SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack); if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { @@ -1516,7 +1527,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio, if (ic->internal_hash) { unsigned digest_size = crypto_shash_digestsize(ic->internal_hash); if (unlikely(digest_size > ic->tag_size)) { - char checksums_onstack[digest_size]; + char checksums_onstack[SHASH_MAX_DIGESTSIZE]; integrity_sector_checksum(ic, logical_sector, (char *)js, checksums_onstack); memcpy(journal_entry_tag(ic, je), checksums_onstack, ic->tag_size); } else @@ -1937,7 +1948,7 @@ static void do_journal_write(struct dm_integrity_c *ic, unsigned write_start, unlikely(from_replay) && #endif ic->internal_hash) { - char test_tag[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)]; + char test_tag[max_t(size_t, SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block), (char *)access_journal_data(ic, i, l), test_tag); -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org>, Alasdair Kergon <agk@redhat.com>, Mike Snitzer <snitzer@redhat.com>, dm-devel@redhat.com, "Gustavo A. R. Silva" <gustavo@embeddedor.com>, Arnd Bergmann <arnd@arndb.de>, Eric Biggers <ebiggers@google.com>, Giovanni Cabiddu <giovanni.cabiddu@intel.com>, Lars Persson <larper@axis.com>, Rabin Vincent <rabinv@axis.com>, Tim Chen <tim.c.chen@linux.intel.com>, "David S. Miller" <davem@davemloft.net>, linux-crypto@vger.kernel.org, qat-linux@intel.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 04/11] dm integrity: Remove VLA usage Date: Mon, 25 Jun 2018 14:10:19 -0700 [thread overview] Message-ID: <20180625211026.15819-5-keescook@chromium.org> (raw) In-Reply-To: <20180625211026.15819-1-keescook@chromium.org> In the quest to remove all stack VLA usage from the kernel[1], this uses the new SHASH_MAX_DIGESTSIZE from the crypto layer to allocate the upper bounds on stack usage. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Cc: Alasdair Kergon <agk@redhat.com> Cc: Mike Snitzer <snitzer@redhat.com> Cc: dm-devel@redhat.com Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/md/dm-integrity.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index 86438b2f10dd..85e8ce1625a2 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -521,7 +521,12 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result } memset(result + size, 0, JOURNAL_MAC_SIZE - size); } else { - __u8 digest[size]; + __u8 digest[SHASH_MAX_DIGESTSIZE]; + + if (WARN_ON(size > sizeof(digest))) { + dm_integrity_io_error(ic, "digest_size", -EINVAL); + goto err; + } r = crypto_shash_final(desc, digest); if (unlikely(r)) { dm_integrity_io_error(ic, "crypto_shash_final", r); @@ -1244,7 +1249,7 @@ static void integrity_metadata(struct work_struct *w) struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); char *checksums; unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0; - char checksums_onstack[ic->tag_size + extra_space]; + char checksums_onstack[SHASH_MAX_DIGESTSIZE]; unsigned sectors_to_process = dio->range.n_sectors; sector_t sector = dio->range.logical_sector; @@ -1253,8 +1258,14 @@ static void integrity_metadata(struct work_struct *w) checksums = kmalloc((PAGE_SIZE >> SECTOR_SHIFT >> ic->sb->log2_sectors_per_block) * ic->tag_size + extra_space, GFP_NOIO | __GFP_NORETRY | __GFP_NOWARN); - if (!checksums) + if (!checksums) { checksums = checksums_onstack; + if (WARN_ON(extra_space && + digest_size > sizeof(checksums_onstack))) { + r = -EINVAL; + goto error; + } + } __bio_for_each_segment(bv, bio, iter, dio->orig_bi_iter) { unsigned pos; @@ -1466,7 +1477,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio, } while (++s < ic->sectors_per_block); #ifdef INTERNAL_VERIFY if (ic->internal_hash) { - char checksums_onstack[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)]; + char checksums_onstack[max(SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack); if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { @@ -1516,7 +1527,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio, if (ic->internal_hash) { unsigned digest_size = crypto_shash_digestsize(ic->internal_hash); if (unlikely(digest_size > ic->tag_size)) { - char checksums_onstack[digest_size]; + char checksums_onstack[SHASH_MAX_DIGESTSIZE]; integrity_sector_checksum(ic, logical_sector, (char *)js, checksums_onstack); memcpy(journal_entry_tag(ic, je), checksums_onstack, ic->tag_size); } else @@ -1937,7 +1948,7 @@ static void do_journal_write(struct dm_integrity_c *ic, unsigned write_start, unlikely(from_replay) && #endif ic->internal_hash) { - char test_tag[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)]; + char test_tag[max_t(size_t, SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block), (char *)access_journal_data(ic, i, l), test_tag); -- 2.17.1
next prev parent reply other threads:[~2018-06-25 21:10 UTC|newest] Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-06-25 21:10 [PATCH v2 00/11] crypto: Remove VLA usage Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 01/11] crypto: xcbc: " Kees Cook 2018-06-25 21:23 ` Joe Perches 2018-06-25 21:32 ` Kees Cook 2018-06-25 21:38 ` Joe Perches 2018-06-25 23:06 ` Kees Cook 2018-06-26 0:54 ` Gustavo A. R. Silva 2018-06-26 16:50 ` Kees Cook 2018-06-26 17:05 ` Gustavo A. R. Silva 2018-06-25 21:10 ` [PATCH v2 02/11] crypto: cbc: " Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 03/11] crypto: shash: " Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` Kees Cook [this message] 2018-06-25 21:10 ` [PATCH v2 04/11] dm integrity: " Kees Cook 2018-06-25 21:10 ` [PATCH v2 05/11] crypto: ahash: " Kees Cook 2018-06-25 21:10 ` [PATCH v2 06/11] dm verity fec: " Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 07/11] crypto alg: Introduce generic max blocksize and alignmask Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 08/11] crypto: qat: Remove VLA usage Kees Cook 2018-06-25 21:10 ` [PATCH v2 09/11] crypto: shash: Remove VLA usage in unaligned hashing Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 10/11] crypto: ahash: Remove VLA usage for AHASH_REQUEST_ON_STACK Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-25 22:56 ` [dm-devel] " Eric Biggers 2018-06-25 23:13 ` Kees Cook 2018-06-26 9:19 ` Herbert Xu 2018-06-26 17:02 ` Kees Cook 2018-06-27 14:34 ` Herbert Xu 2018-06-27 18:12 ` Kees Cook 2018-06-25 21:10 ` [PATCH v2 11/11] crypto: skcipher: Remove VLA usage for SKCIPHER_REQUEST_ON_STACK Kees Cook 2018-06-25 21:10 ` Kees Cook 2018-06-26 9:20 ` Herbert Xu 2018-06-26 16:45 ` Kees Cook 2018-06-27 14:36 ` Herbert Xu 2018-06-27 18:31 ` Kees Cook 2018-06-27 22:27 ` Herbert Xu 2018-06-28 0:10 ` Kees Cook 2018-07-01 6:24 ` Herbert Xu 2018-07-01 6:24 ` Herbert Xu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180625211026.15819-5-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=agk@redhat.com \ --cc=arnd@arndb.de \ --cc=davem@davemloft.net \ --cc=dm-devel@redhat.com \ --cc=ebiggers@google.com \ --cc=giovanni.cabiddu@intel.com \ --cc=gustavo@embeddedor.com \ --cc=herbert@gondor.apana.org.au \ --cc=larper@axis.com \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=qat-linux@intel.com \ --cc=rabinv@axis.com \ --cc=snitzer@redhat.com \ --cc=tim.c.chen@linux.intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.