From: Kees Cook <keescook@chromium.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
Arnd Bergmann <arnd@arndb.de>, Mike Snitzer <snitzer@redhat.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Eric Biggers <ebiggers@google.com>,
qat-linux@intel.com, linux-kernel@vger.kernel.org,
dm-devel@redhat.com, linux-crypto@vger.kernel.org,
Rabin Vincent <rabinv@axis.com>, Lars Persson <larper@axis.com>,
Tim Chen <tim.c.chen@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>,
Alasdair Kergon <agk@redhat.com>,
Kees Cook <keescook@chromium.org>
Subject: [PATCH v2 04/11] dm integrity: Remove VLA usage
Date: Mon, 25 Jun 2018 14:10:19 -0700 [thread overview]
Message-ID: <20180625211026.15819-5-keescook@chromium.org> (raw)
In-Reply-To: <20180625211026.15819-1-keescook@chromium.org>
In the quest to remove all stack VLA usage from the kernel[1], this uses
the new SHASH_MAX_DIGESTSIZE from the crypto layer to allocate the upper
bounds on stack usage.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/md/dm-integrity.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 86438b2f10dd..85e8ce1625a2 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -521,7 +521,12 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result
}
memset(result + size, 0, JOURNAL_MAC_SIZE - size);
} else {
- __u8 digest[size];
+ __u8 digest[SHASH_MAX_DIGESTSIZE];
+
+ if (WARN_ON(size > sizeof(digest))) {
+ dm_integrity_io_error(ic, "digest_size", -EINVAL);
+ goto err;
+ }
r = crypto_shash_final(desc, digest);
if (unlikely(r)) {
dm_integrity_io_error(ic, "crypto_shash_final", r);
@@ -1244,7 +1249,7 @@ static void integrity_metadata(struct work_struct *w)
struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io));
char *checksums;
unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0;
- char checksums_onstack[ic->tag_size + extra_space];
+ char checksums_onstack[SHASH_MAX_DIGESTSIZE];
unsigned sectors_to_process = dio->range.n_sectors;
sector_t sector = dio->range.logical_sector;
@@ -1253,8 +1258,14 @@ static void integrity_metadata(struct work_struct *w)
checksums = kmalloc((PAGE_SIZE >> SECTOR_SHIFT >> ic->sb->log2_sectors_per_block) * ic->tag_size + extra_space,
GFP_NOIO | __GFP_NORETRY | __GFP_NOWARN);
- if (!checksums)
+ if (!checksums) {
checksums = checksums_onstack;
+ if (WARN_ON(extra_space &&
+ digest_size > sizeof(checksums_onstack))) {
+ r = -EINVAL;
+ goto error;
+ }
+ }
__bio_for_each_segment(bv, bio, iter, dio->orig_bi_iter) {
unsigned pos;
@@ -1466,7 +1477,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio,
} while (++s < ic->sectors_per_block);
#ifdef INTERNAL_VERIFY
if (ic->internal_hash) {
- char checksums_onstack[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)];
+ char checksums_onstack[max(SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack);
if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
@@ -1516,7 +1527,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio,
if (ic->internal_hash) {
unsigned digest_size = crypto_shash_digestsize(ic->internal_hash);
if (unlikely(digest_size > ic->tag_size)) {
- char checksums_onstack[digest_size];
+ char checksums_onstack[SHASH_MAX_DIGESTSIZE];
integrity_sector_checksum(ic, logical_sector, (char *)js, checksums_onstack);
memcpy(journal_entry_tag(ic, je), checksums_onstack, ic->tag_size);
} else
@@ -1937,7 +1948,7 @@ static void do_journal_write(struct dm_integrity_c *ic, unsigned write_start,
unlikely(from_replay) &&
#endif
ic->internal_hash) {
- char test_tag[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)];
+ char test_tag[max_t(size_t, SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block),
(char *)access_journal_data(ic, i, l), test_tag);
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kees Cook <keescook@chromium.org>,
Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@redhat.com>,
dm-devel@redhat.com,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Arnd Bergmann <arnd@arndb.de>, Eric Biggers <ebiggers@google.com>,
Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
Lars Persson <larper@axis.com>, Rabin Vincent <rabinv@axis.com>,
Tim Chen <tim.c.chen@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, qat-linux@intel.com,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 04/11] dm integrity: Remove VLA usage
Date: Mon, 25 Jun 2018 14:10:19 -0700 [thread overview]
Message-ID: <20180625211026.15819-5-keescook@chromium.org> (raw)
In-Reply-To: <20180625211026.15819-1-keescook@chromium.org>
In the quest to remove all stack VLA usage from the kernel[1], this uses
the new SHASH_MAX_DIGESTSIZE from the crypto layer to allocate the upper
bounds on stack usage.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Cc: Alasdair Kergon <agk@redhat.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/md/dm-integrity.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 86438b2f10dd..85e8ce1625a2 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -521,7 +521,12 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result
}
memset(result + size, 0, JOURNAL_MAC_SIZE - size);
} else {
- __u8 digest[size];
+ __u8 digest[SHASH_MAX_DIGESTSIZE];
+
+ if (WARN_ON(size > sizeof(digest))) {
+ dm_integrity_io_error(ic, "digest_size", -EINVAL);
+ goto err;
+ }
r = crypto_shash_final(desc, digest);
if (unlikely(r)) {
dm_integrity_io_error(ic, "crypto_shash_final", r);
@@ -1244,7 +1249,7 @@ static void integrity_metadata(struct work_struct *w)
struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io));
char *checksums;
unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0;
- char checksums_onstack[ic->tag_size + extra_space];
+ char checksums_onstack[SHASH_MAX_DIGESTSIZE];
unsigned sectors_to_process = dio->range.n_sectors;
sector_t sector = dio->range.logical_sector;
@@ -1253,8 +1258,14 @@ static void integrity_metadata(struct work_struct *w)
checksums = kmalloc((PAGE_SIZE >> SECTOR_SHIFT >> ic->sb->log2_sectors_per_block) * ic->tag_size + extra_space,
GFP_NOIO | __GFP_NORETRY | __GFP_NOWARN);
- if (!checksums)
+ if (!checksums) {
checksums = checksums_onstack;
+ if (WARN_ON(extra_space &&
+ digest_size > sizeof(checksums_onstack))) {
+ r = -EINVAL;
+ goto error;
+ }
+ }
__bio_for_each_segment(bv, bio, iter, dio->orig_bi_iter) {
unsigned pos;
@@ -1466,7 +1477,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio,
} while (++s < ic->sectors_per_block);
#ifdef INTERNAL_VERIFY
if (ic->internal_hash) {
- char checksums_onstack[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)];
+ char checksums_onstack[max(SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack);
if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
@@ -1516,7 +1527,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio,
if (ic->internal_hash) {
unsigned digest_size = crypto_shash_digestsize(ic->internal_hash);
if (unlikely(digest_size > ic->tag_size)) {
- char checksums_onstack[digest_size];
+ char checksums_onstack[SHASH_MAX_DIGESTSIZE];
integrity_sector_checksum(ic, logical_sector, (char *)js, checksums_onstack);
memcpy(journal_entry_tag(ic, je), checksums_onstack, ic->tag_size);
} else
@@ -1937,7 +1948,7 @@ static void do_journal_write(struct dm_integrity_c *ic, unsigned write_start,
unlikely(from_replay) &&
#endif
ic->internal_hash) {
- char test_tag[max(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)];
+ char test_tag[max_t(size_t, SHASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block),
(char *)access_journal_data(ic, i, l), test_tag);
--
2.17.1
next prev parent reply other threads:[~2018-06-25 21:10 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-25 21:10 [PATCH v2 00/11] crypto: Remove VLA usage Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 01/11] crypto: xcbc: " Kees Cook
2018-06-25 21:23 ` Joe Perches
2018-06-25 21:32 ` Kees Cook
2018-06-25 21:38 ` Joe Perches
2018-06-25 23:06 ` Kees Cook
2018-06-26 0:54 ` Gustavo A. R. Silva
2018-06-26 16:50 ` Kees Cook
2018-06-26 17:05 ` Gustavo A. R. Silva
2018-06-25 21:10 ` [PATCH v2 02/11] crypto: cbc: " Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 03/11] crypto: shash: " Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` Kees Cook [this message]
2018-06-25 21:10 ` [PATCH v2 04/11] dm integrity: " Kees Cook
2018-06-25 21:10 ` [PATCH v2 05/11] crypto: ahash: " Kees Cook
2018-06-25 21:10 ` [PATCH v2 06/11] dm verity fec: " Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 07/11] crypto alg: Introduce generic max blocksize and alignmask Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 08/11] crypto: qat: Remove VLA usage Kees Cook
2018-06-25 21:10 ` [PATCH v2 09/11] crypto: shash: Remove VLA usage in unaligned hashing Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 10/11] crypto: ahash: Remove VLA usage for AHASH_REQUEST_ON_STACK Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-25 22:56 ` [dm-devel] " Eric Biggers
2018-06-25 23:13 ` Kees Cook
2018-06-26 9:19 ` Herbert Xu
2018-06-26 17:02 ` Kees Cook
2018-06-27 14:34 ` Herbert Xu
2018-06-27 18:12 ` Kees Cook
2018-06-25 21:10 ` [PATCH v2 11/11] crypto: skcipher: Remove VLA usage for SKCIPHER_REQUEST_ON_STACK Kees Cook
2018-06-25 21:10 ` Kees Cook
2018-06-26 9:20 ` Herbert Xu
2018-06-26 16:45 ` Kees Cook
2018-06-27 14:36 ` Herbert Xu
2018-06-27 18:31 ` Kees Cook
2018-06-27 22:27 ` Herbert Xu
2018-06-28 0:10 ` Kees Cook
2018-07-01 6:24 ` Herbert Xu
2018-07-01 6:24 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180625211026.15819-5-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=agk@redhat.com \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=giovanni.cabiddu@intel.com \
--cc=gustavo@embeddedor.com \
--cc=herbert@gondor.apana.org.au \
--cc=larper@axis.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qat-linux@intel.com \
--cc=rabinv@axis.com \
--cc=snitzer@redhat.com \
--cc=tim.c.chen@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.