Re: [PATCH v2 2/2] pstore: Replace crypto API compression with zlib_deflate library calls

From: Eric Biggers <ebiggers@kernel.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: linux-hardening@vger.kernel.org,
	Kees Cook <keescook@chromium.org>,
	"Guilherme G. Piccoli" <gpiccoli@igalia.com>
Subject: Re: [PATCH v2 2/2] pstore: Replace crypto API compression with zlib_deflate library calls
Date: Fri, 7 Jul 2023 19:47:09 -0700	[thread overview]
Message-ID: <20230708024709.GC1731@sol.localdomain> (raw)
In-Reply-To: <20230707083456.2501913-3-ardb@kernel.org>

On Fri, Jul 07, 2023 at 10:34:56AM +0200, Ard Biesheuvel wrote:
> +/*
> + * pstore no longer implements compression via the crypto API, and only
> + * supports zlib deflate compression implemented using the zlib library
> + * interface. This removes additional complexity which is hard to justify for a
> + * diagnostic facility that has to operate in conditions where the system may
> + * have become unstable. Zlib deflate is comparatively small in terms of code
> + * size, and compresses ASCII text as well as any other compression algorithm
> + * available in the kernel. In terms of compression speed, deflate is not the
> + * best performer but for recording the log output on a kernel panic, this is
> + * not considered critical.
> + *
> + * The only remaining arguments supported by the compress= module parameter are
> + * 'deflate' and 'none'. To retain compatibility with existing installations,
> + * all other values are logged and replaced with 'deflate'.
> + */
> +static char *compress = "deflate";

I would soften the claim "compresses ASCII text as well as any other compression
algorithm available in the kernel" to something like "compresses ASCII text
comparatively well".  This is because zstd can indeed compress ASCII text
slightly more than deflate.

> static void free_buf_for_compression(void)
> {
> -       if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) {
> -               crypto_free_comp(tfm);
> -               tfm = NULL;
> -       }
> +       vfree(compress_workspace);
>         kfree(big_oops_buf);
>         big_oops_buf = NULL;
>  }

Maybe set compress_workspace to NULL after it is freed.

> @@ -592,10 +623,17 @@ void pstore_get_backend_records(struct pstore_info *psi,
>  {
>  	int failed = 0;
>  	unsigned int stop_loop = 65536;
> +	struct z_stream_s zstream;
>  
>  	if (!psi || !root)
>  		return;
>  
> +	if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && compress) {
> +		zstream.workspace = kvmalloc(zlib_inflate_workspacesize(),
> +					     GFP_KERNEL);
> +		zlib_inflateInit2(&zstream, -DEF_WBITS);
> +	}
> +

zstream.workspace is never checked for NULL.  Maybe do:

	struct z_stream_s zstream = {};

and have decompress_record() check it.  Also I think it should replace the check
for big_oops_buf, as big_oops_buf is really for compression, not decompression.

>  	mutex_lock(&psi->read_mutex);
>  	if (psi->open && psi->open(psi))
>  		goto out;
> @@ -624,7 +662,7 @@ void pstore_get_backend_records(struct pstore_info *psi,
>  			break;
>  		}
>  
> -		decompress_record(record);
> +		decompress_record(record, &zstream);
>  		rc = pstore_mkfile(root, record);
>  		if (rc) {
>  			/* pstore_mkfile() did not take record, so free it. */
> @@ -639,6 +677,10 @@ void pstore_get_backend_records(struct pstore_info *psi,
>  		psi->close(psi);
>  out:
>  	mutex_unlock(&psi->read_mutex);
> +	kvfree(zstream.workspace);
> +
> +	if (zlib_inflateEnd(&zstream) != Z_OK)
> +		pr_warn("zlib_inflateEnd() failed\n");

The destruction code above needs to be guarded by the same condition as the
initialization code ('IS_ENABLED(CONFIG_PSTORE_COMPRESS) && compress').

- Eric