* [PATCH v2] crypto: octeontx2 - Avoid stack variable overflow
@ 2022-01-05 17:49 Kees Cook
2022-01-08 9:28 ` Ard Biesheuvel
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2022-01-05 17:49 UTC (permalink / raw)
To: Herbert Xu
Cc: Kees Cook, Boris Brezillon, Arnaud Ebalard, Srujana Challa,
David S. Miller, Suheil Chandran, Shijith Thotton,
Lukasz Bartosik, linux-crypto, Dan Carpenter, Jiapeng Chong,
linux-kernel, linux-hardening
Building with -Warray-bounds showed a stack variable array index
overflow. Increase the expected size of the array to avoid the warning:
In file included from ./include/linux/printk.h:555,
from ./include/asm-generic/bug.h:22,
from ./arch/x86/include/asm/bug.h:84,
from ./include/linux/bug.h:5,
from ./include/linux/mmdebug.h:5,
from ./include/linux/gfp.h:5,
from ./include/linux/firmware.h:7,
from drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:5:
drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c: In function 'otx2_cpt_print_uc_dbg_info':
./include/linux/dynamic_debug.h:162:33: warning: array subscript 4 is above array bounds of 'u32[4]' {aka 'unsigned int[4]'} [-Warray-bounds]
162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
| ^
./include/linux/dynamic_debug.h:134:17: note: in definition of macro '__dynamic_func_call'
134 | func(&id, ##__VA_ARGS__); \
| ^~~~
./include/linux/dynamic_debug.h:162:9: note: in expansion of macro '_dynamic_func_call'
162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
| ^~~~~~~~~~~~~~~~~~
./include/linux/printk.h:570:9: note: in expansion of macro 'dynamic_pr_debug'
570 | dynamic_pr_debug(fmt, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~
drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1807:41: note: in expansion of macro 'pr_debug'
1807 | pr_debug("Mask: %8.8x %8.8x %8.8x %8.8x %8.8x",
| ^~~~~~~~
drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1765:13: note: while referencing 'mask'
1765 | u32 mask[4];
| ^~~~
This is justified because the mask size (eng_grps->engs_num) can be at
most 144 (OTX2_CPT_MAX_ENGINES bits), which is larger than available
storage. 4 * 32 == 128, so this must be 5: 5 * 32bit = 150.
Additionally clear the mask before conversion so trailing bits are zero.
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Boris Brezillon <bbrezillon@kernel.org>
Cc: Arnaud Ebalard <arno@natisbad.org>
Cc: Srujana Challa <schalla@marvell.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Suheil Chandran <schandran@marvell.com>
Cc: Shijith Thotton <sthotton@marvell.com>
Cc: Lukasz Bartosik <lbartosik@marvell.com>
Cc: linux-crypto@vger.kernel.org
Fixes: d9d7749773e8 ("crypto: octeontx2 - add apis for custom engine groups")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v1: https://lore.kernel.org/lkml/20211215225558.1995027-1-keescook@chromium.org/
v2:
- expliticly zero "mask"
- explain math in commit log
- move definition into local context
---
drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
index 4c8ebdf671ca..1b4d425bbf0e 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
@@ -1753,7 +1753,6 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
char engs_info[2 * OTX2_CPT_NAME_LENGTH];
struct otx2_cpt_eng_grp_info *grp;
struct otx2_cpt_engs_rsvd *engs;
- u32 mask[4];
int i, j;
pr_debug("Engine groups global info");
@@ -1785,6 +1784,8 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
for (j = 0; j < OTX2_CPT_MAX_ETYPES_PER_GRP; j++) {
engs = &grp->engs[j];
if (engs->type) {
+ u32 mask[5] = { };
+
get_engs_info(grp, engs_info,
2 * OTX2_CPT_NAME_LENGTH, j);
pr_debug("Slot%d: %s", j, engs_info);
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] crypto: octeontx2 - Avoid stack variable overflow
2022-01-05 17:49 [PATCH v2] crypto: octeontx2 - Avoid stack variable overflow Kees Cook
@ 2022-01-08 9:28 ` Ard Biesheuvel
0 siblings, 0 replies; 2+ messages in thread
From: Ard Biesheuvel @ 2022-01-08 9:28 UTC (permalink / raw)
To: Kees Cook
Cc: Herbert Xu, Boris Brezillon, Arnaud Ebalard, Srujana Challa,
David S. Miller, Suheil Chandran, Shijith Thotton,
Lukasz Bartosik, Linux Crypto Mailing List, Dan Carpenter,
Jiapeng Chong, Linux Kernel Mailing List, linux-hardening
On Wed, 5 Jan 2022 at 18:50, Kees Cook <keescook@chromium.org> wrote:
>
> Building with -Warray-bounds showed a stack variable array index
> overflow. Increase the expected size of the array to avoid the warning:
>
> In file included from ./include/linux/printk.h:555,
> from ./include/asm-generic/bug.h:22,
> from ./arch/x86/include/asm/bug.h:84,
> from ./include/linux/bug.h:5,
> from ./include/linux/mmdebug.h:5,
> from ./include/linux/gfp.h:5,
> from ./include/linux/firmware.h:7,
> from drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:5:
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c: In function 'otx2_cpt_print_uc_dbg_info':
> ./include/linux/dynamic_debug.h:162:33: warning: array subscript 4 is above array bounds of 'u32[4]' {aka 'unsigned int[4]'} [-Warray-bounds]
> 162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
> | ^
> ./include/linux/dynamic_debug.h:134:17: note: in definition of macro '__dynamic_func_call'
> 134 | func(&id, ##__VA_ARGS__); \
> | ^~~~
> ./include/linux/dynamic_debug.h:162:9: note: in expansion of macro '_dynamic_func_call'
> 162 | _dynamic_func_call(fmt, __dynamic_pr_debug, \
> | ^~~~~~~~~~~~~~~~~~
> ./include/linux/printk.h:570:9: note: in expansion of macro 'dynamic_pr_debug'
> 570 | dynamic_pr_debug(fmt, ##__VA_ARGS__)
> | ^~~~~~~~~~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1807:41: note: in expansion of macro 'pr_debug'
> 1807 | pr_debug("Mask: %8.8x %8.8x %8.8x %8.8x %8.8x",
> | ^~~~~~~~
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c:1765:13: note: while referencing 'mask'
> 1765 | u32 mask[4];
> | ^~~~
>
> This is justified because the mask size (eng_grps->engs_num) can be at
> most 144 (OTX2_CPT_MAX_ENGINES bits), which is larger than available
> storage. 4 * 32 == 128, so this must be 5: 5 * 32bit = 150.
>
160
> Additionally clear the mask before conversion so trailing bits are zero.
>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: Boris Brezillon <bbrezillon@kernel.org>
> Cc: Arnaud Ebalard <arno@natisbad.org>
> Cc: Srujana Challa <schalla@marvell.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Suheil Chandran <schandran@marvell.com>
> Cc: Shijith Thotton <sthotton@marvell.com>
> Cc: Lukasz Bartosik <lbartosik@marvell.com>
> Cc: linux-crypto@vger.kernel.org
> Fixes: d9d7749773e8 ("crypto: octeontx2 - add apis for custom engine groups")
> Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
> ---
> v1: https://lore.kernel.org/lkml/20211215225558.1995027-1-keescook@chromium.org/
> v2:
> - expliticly zero "mask"
> - explain math in commit log
> - move definition into local context
> ---
> drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> index 4c8ebdf671ca..1b4d425bbf0e 100644
> --- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> +++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
> @@ -1753,7 +1753,6 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
> char engs_info[2 * OTX2_CPT_NAME_LENGTH];
> struct otx2_cpt_eng_grp_info *grp;
> struct otx2_cpt_engs_rsvd *engs;
> - u32 mask[4];
> int i, j;
>
> pr_debug("Engine groups global info");
> @@ -1785,6 +1784,8 @@ void otx2_cpt_print_uc_dbg_info(struct otx2_cptpf_dev *cptpf)
> for (j = 0; j < OTX2_CPT_MAX_ETYPES_PER_GRP; j++) {
> engs = &grp->engs[j];
> if (engs->type) {
> + u32 mask[5] = { };
> +
> get_engs_info(grp, engs_info,
> 2 * OTX2_CPT_NAME_LENGTH, j);
> pr_debug("Slot%d: %s", j, engs_info);
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-08 9:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 17:49 [PATCH v2] crypto: octeontx2 - Avoid stack variable overflow Kees Cook
2022-01-08 9:28 ` Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).