* [PATCH] ima: dynamically allocate shash_desc
@ 2019-06-17 11:20 Arnd Bergmann
2019-06-17 15:55 ` Mimi Zohar
0 siblings, 1 reply; 7+ messages in thread
From: Arnd Bergmann @ 2019-06-17 11:20 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn
Cc: Arnd Bergmann, Jarkko Sakkinen, Stefan Berger, linux-integrity,
linux-security-module, linux-kernel
On 32-bit ARM, we get a warning about excessive stack usage when
building with clang.
security/integrity/ima/ima_crypto.c:504:5: error: stack frame size of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-Wframe-larger-than=]
Using kmalloc to get the descriptor reduces this to 320 bytes.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
security/integrity/ima/ima_crypto.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index d4c7b8e1b083..8a66bab4c435 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -461,16 +461,21 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
struct ima_digest_data *hash,
struct crypto_shash *tfm)
{
- SHASH_DESC_ON_STACK(shash, tfm);
+ struct shash_desc *shash;
int rc, i;
+ shash = kmalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
+ GFP_KERNEL);
+ if (!shash)
+ return -ENOMEM;
+
shash->tfm = tfm;
hash->length = crypto_shash_digestsize(tfm);
rc = crypto_shash_init(shash);
if (rc != 0)
- return rc;
+ goto out;
for (i = 0; i < num_fields; i++) {
u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 };
@@ -497,7 +502,8 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
if (!rc)
rc = crypto_shash_final(shash, hash->digest);
-
+out:
+ kfree(shash);
return rc;
}
--
2.20.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-17 11:20 [PATCH] ima: dynamically allocate shash_desc Arnd Bergmann
@ 2019-06-17 15:55 ` Mimi Zohar
2019-06-17 18:07 ` Mimi Zohar
0 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-06-17 15:55 UTC (permalink / raw)
To: Arnd Bergmann, Dmitry Kasatkin, James Morris, Serge E. Hallyn
Cc: Jarkko Sakkinen, Stefan Berger, linux-integrity,
linux-security-module, linux-kernel
On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> On 32-bit ARM, we get a warning about excessive stack usage when
> building with clang.
>
> security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> Wframe-larger-than=]
I'm definitely not seeing this. Is this problem a result of non
upstreamed patches? For sha1, currently the only possible hash
algorithm, I'm seeing 664.
Mimi
>
> Using kmalloc to get the descriptor reduces this to 320 bytes.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> security/integrity/ima/ima_crypto.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index d4c7b8e1b083..8a66bab4c435 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -461,16 +461,21 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
> struct ima_digest_data *hash,
> struct crypto_shash *tfm)
> {
> - SHASH_DESC_ON_STACK(shash, tfm);
> + struct shash_desc *shash;
> int rc, i;
>
> + shash = kmalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
> + GFP_KERNEL);
> + if (!shash)
> + return -ENOMEM;
> +
> shash->tfm = tfm;
>
> hash->length = crypto_shash_digestsize(tfm);
>
> rc = crypto_shash_init(shash);
> if (rc != 0)
> - return rc;
> + goto out;
>
> for (i = 0; i < num_fields; i++) {
> u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 };
> @@ -497,7 +502,8 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
>
> if (!rc)
> rc = crypto_shash_final(shash, hash->digest);
> -
> +out:
> + kfree(shash);
> return rc;
> }
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-17 15:55 ` Mimi Zohar
@ 2019-06-17 18:07 ` Mimi Zohar
2019-06-17 20:08 ` Arnd Bergmann
0 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-06-17 18:07 UTC (permalink / raw)
To: Arnd Bergmann, Dmitry Kasatkin, James Morris, Serge E. Hallyn
Cc: Jarkko Sakkinen, Stefan Berger, linux-integrity,
linux-security-module, linux-kernel
On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > On 32-bit ARM, we get a warning about excessive stack usage when
> > building with clang.
> >
> > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > Wframe-larger-than=]
>
> I'm definitely not seeing this. Is this problem a result of non
> upstreamed patches? For sha1, currently the only possible hash
> algorithm, I'm seeing 664.
Every time a measurement is added to the measurement list, the memory
would be allocated/freed. The frequency of new measurements is policy
dependent. For performance reasons, I'd prefer if the allocation
remains on the stack.
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-17 18:07 ` Mimi Zohar
@ 2019-06-17 20:08 ` Arnd Bergmann
2019-06-18 12:44 ` Mimi Zohar
0 siblings, 1 reply; 7+ messages in thread
From: Arnd Bergmann @ 2019-06-17 20:08 UTC (permalink / raw)
To: Mimi Zohar
Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, Jarkko Sakkinen,
Stefan Berger, linux-integrity, LSM List,
Linux Kernel Mailing List
On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > building with clang.
> > >
> > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > Wframe-larger-than=]
> >
> > I'm definitely not seeing this. Is this problem a result of non
> > upstreamed patches? For sha1, currently the only possible hash
> > algorithm, I'm seeing 664.
You won't see it with gcc, only with clang in some randconfig builds,
I suppose only when KASAN is enabled.
> Every time a measurement is added to the measurement list, the memory
> would be allocated/freed. The frequency of new measurements is policy
> dependent. For performance reasons, I'd prefer if the allocation
> remains on the stack.
Is there a way to preallocate the shash_desc instead? That would
avoid the overhead.
Arnd
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-17 20:08 ` Arnd Bergmann
@ 2019-06-18 12:44 ` Mimi Zohar
2019-06-18 18:06 ` Arnd Bergmann
0 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-06-18 12:44 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, Jarkko Sakkinen,
Stefan Berger, linux-integrity, LSM List,
Linux Kernel Mailing List
On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > building with clang.
> > > >
> > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > Wframe-larger-than=]
> > >
> > > I'm definitely not seeing this. Is this problem a result of non
> > > upstreamed patches? For sha1, currently the only possible hash
> > > algorithm, I'm seeing 664.
>
> You won't see it with gcc, only with clang in some randconfig builds,
> I suppose only when KASAN is enabled.
>
> > Every time a measurement is added to the measurement list, the memory
> > would be allocated/freed. The frequency of new measurements is policy
> > dependent. For performance reasons, I'd prefer if the allocation
> > remains on the stack.
>
> Is there a way to preallocate the shash_desc instead? That would
> avoid the overhead.
There are 3 other SHASH_DESC_ON_STACK definitions in just
ima_crypto.c, with a total of ~55 other places in the kernel. Before
fixing this particular function, I'd like to know if the "excessive
stack usage" warning is limited to ima_calc_field_array_hash_tfm().
If so, what is so special about its usage of SHASH_DESC_ON_STACK?
thanks,
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-18 12:44 ` Mimi Zohar
@ 2019-06-18 18:06 ` Arnd Bergmann
2019-06-18 18:53 ` Mimi Zohar
0 siblings, 1 reply; 7+ messages in thread
From: Arnd Bergmann @ 2019-06-18 18:06 UTC (permalink / raw)
To: Mimi Zohar
Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, Jarkko Sakkinen,
Stefan Berger, linux-integrity, LSM List,
Linux Kernel Mailing List
On Tue, Jun 18, 2019 at 3:55 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> > On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > > building with clang.
> > > > >
> > > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > > Wframe-larger-than=]
> > > >
> > > > I'm definitely not seeing this. Is this problem a result of non
> > > > upstreamed patches? For sha1, currently the only possible hash
> > > > algorithm, I'm seeing 664.
> >
> > You won't see it with gcc, only with clang in some randconfig builds,
> > I suppose only when KASAN is enabled.
> >
> > > Every time a measurement is added to the measurement list, the memory
> > > would be allocated/freed. The frequency of new measurements is policy
> > > dependent. For performance reasons, I'd prefer if the allocation
> > > remains on the stack.
> >
> > Is there a way to preallocate the shash_desc instead? That would
> > avoid the overhead.
>
> There are 3 other SHASH_DESC_ON_STACK definitions in just
> ima_crypto.c, with a total of ~55 other places in the kernel. Before
> fixing this particular function, I'd like to know if the "excessive
> stack usage" warning is limited to ima_calc_field_array_hash_tfm().
> If so, what is so special about its usage of SHASH_DESC_ON_STACK?
SHASH_DESC_ON_STACK() uses at least 512 bytes of stack
everywhere, which is half of the warning limit for a function on
32 bit kernels.
With KASAN, a small redzone is put around it so we can detect out
of bounds access to a variable that is passed by reference.
clang makes that buffer larger than gcc, so we end up with something
like 768 bytes for each instance of SHASH_DESC_ON_STACK().
Most other users still stay below the 1024 byte warning level though,
because typical functions only use a few bytes of stack space.
In case of ima_calc_field_array_hash_tfm(), the is also the buffer[]
array of 255 bytes that gets another large redzone.
I fixed up all the (randconfig) warnings I get for arm32, arm64 and
x86 kernels, and I think there were four to five that were because of
SHASH_DESC_ON_STACK(). It might make sense to convert all
three instances in ima to preallocate the descriptor if we do it for
one of them, even when it's not actually needed.
Arnd
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ima: dynamically allocate shash_desc
2019-06-18 18:06 ` Arnd Bergmann
@ 2019-06-18 18:53 ` Mimi Zohar
0 siblings, 0 replies; 7+ messages in thread
From: Mimi Zohar @ 2019-06-18 18:53 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, Jarkko Sakkinen,
Stefan Berger, linux-integrity, LSM List,
Linux Kernel Mailing List
On Tue, 2019-06-18 at 20:06 +0200, Arnd Bergmann wrote:
> On Tue, Jun 18, 2019 at 3:55 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> > > On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > >
> > > > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > > > building with clang.
> > > > > >
> > > > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > > > Wframe-larger-than=]
> > > > >
> > > > > I'm definitely not seeing this. Is this problem a result of non
> > > > > upstreamed patches? For sha1, currently the only possible hash
> > > > > algorithm, I'm seeing 664.
> > >
> > > You won't see it with gcc, only with clang in some randconfig builds,
> > > I suppose only when KASAN is enabled.
> > >
> > > > Every time a measurement is added to the measurement list, the memory
> > > > would be allocated/freed. The frequency of new measurements is policy
> > > > dependent. For performance reasons, I'd prefer if the allocation
> > > > remains on the stack.
> > >
> > > Is there a way to preallocate the shash_desc instead? That would
> > > avoid the overhead.
> >
> > There are 3 other SHASH_DESC_ON_STACK definitions in just
> > ima_crypto.c, with a total of ~55 other places in the kernel. Before
> > fixing this particular function, I'd like to know if the "excessive
> > stack usage" warning is limited to ima_calc_field_array_hash_tfm().
> > If so, what is so special about its usage of SHASH_DESC_ON_STACK?
>
> SHASH_DESC_ON_STACK() uses at least 512 bytes of stack
> everywhere, which is half of the warning limit for a function on
> 32 bit kernels.
>
> With KASAN, a small redzone is put around it so we can detect out
> of bounds access to a variable that is passed by reference.
> clang makes that buffer larger than gcc, so we end up with something
> like 768 bytes for each instance of SHASH_DESC_ON_STACK().
>
> Most other users still stay below the 1024 byte warning level though,
> because typical functions only use a few bytes of stack space.
> In case of ima_calc_field_array_hash_tfm(), the is also the buffer[]
> array of 255 bytes that gets another large redzone.
>
> I fixed up all the (randconfig) warnings I get for arm32, arm64 and
> x86 kernels, and I think there were four to five that were because of
> SHASH_DESC_ON_STACK(). It might make sense to convert all
> three instances in ima to preallocate the descriptor if we do it for
> one of them, even when it's not actually needed.
"buffer" is only used for the original "ima" template format, which is
limited to sha1. Rather than allocating shash, I would prefer
"buffer" be allocated, if needed, and only the first time.
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-06-18 18:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-17 11:20 [PATCH] ima: dynamically allocate shash_desc Arnd Bergmann
2019-06-17 15:55 ` Mimi Zohar
2019-06-17 18:07 ` Mimi Zohar
2019-06-17 20:08 ` Arnd Bergmann
2019-06-18 12:44 ` Mimi Zohar
2019-06-18 18:06 ` Arnd Bergmann
2019-06-18 18:53 ` Mimi Zohar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.