* [PATCH] crypto/ecc: Remove stack VLA usage
@ 2018-03-07 21:56 Kees Cook
2018-03-08 9:43 ` Tudor Ambarus
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-03-07 21:56 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-kernel, David S. Miller, linux-crypto, kernel-hardening
On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).
[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook <keescook@chromium.org>
---
crypto/ecc.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
{
int ret = 0;
struct ecc_point *product, *pk;
- u64 priv[ndigits];
- u64 rand_z[ndigits];
- unsigned int nbytes;
+ u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
if (!private_key || !public_key || !curve) {
@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
goto out;
}
- nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+ priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+ if (!priv) {
+ ret = -ENOMEM;
+ goto out;
+ }
- get_random_bytes(rand_z, nbytes);
+ rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+ if (!rand_z) {
+ ret = -ENOMEM;
+ goto kfree_out;
+ }
pk = ecc_alloc_point(ndigits);
if (!pk) {
ret = -ENOMEM;
- goto out;
+ goto kfree_out;
}
product = ecc_alloc_point(ndigits);
@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
goto err_alloc_product;
}
+ get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
ecc_free_point(product);
err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+ kfree(priv);
+ kfree(rand_z);
out:
return ret;
}
--
2.7.4
--
Kees Cook
Pixel Security
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
2018-03-07 21:56 [PATCH] crypto/ecc: Remove stack VLA usage Kees Cook
@ 2018-03-08 9:43 ` Tudor Ambarus
2018-03-08 21:55 ` Kees Cook
0 siblings, 1 reply; 4+ messages in thread
From: Tudor Ambarus @ 2018-03-08 9:43 UTC (permalink / raw)
To: Kees Cook, Herbert Xu
Cc: linux-kernel, David S. Miller, linux-crypto, kernel-hardening
Hi, Kees,
On 03/07/2018 11:56 PM, Kees Cook wrote:
> On the quest to remove all VLAs from the kernel[1], this switches to
> a pair of kmalloc regions instead of using the stack. This also moves
> the get_random_bytes() after all allocations (and drops the needless
> "nbytes" variable).
>
> [1] https://lkml.org/lkml/2018/3/7/621
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> crypto/ecc.c | 23 +++++++++++++++++------
> 1 file changed, 17 insertions(+), 6 deletions(-)
>
> diff --git a/crypto/ecc.c b/crypto/ecc.c
> index 18f32f2a5e1c..5bfa63603da0 100644
> --- a/crypto/ecc.c
> +++ b/crypto/ecc.c
> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
> {
> int ret = 0;
> struct ecc_point *product, *pk;
> - u64 priv[ndigits];
> - u64 rand_z[ndigits];
> - unsigned int nbytes;
> + u64 *priv, *rand_z;
> const struct ecc_curve *curve = ecc_get_curve(curve_id);
>
> if (!private_key || !public_key || !curve) {
> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
> goto out;
> }
>
> - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
> + priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
> + if (!priv) {
> + ret = -ENOMEM;
> + goto out;
> + }
>
> - get_random_bytes(rand_z, nbytes);
> + rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
> + if (!rand_z) {
> + ret = -ENOMEM;
> + goto kfree_out;
> + }
>
> pk = ecc_alloc_point(ndigits);
> if (!pk) {
> ret = -ENOMEM;
> - goto out;
> + goto kfree_out;
> }
>
> product = ecc_alloc_point(ndigits);
> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
> goto err_alloc_product;
> }
>
> + get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
> +
> ecc_swap_digits(public_key, pk->x, ndigits);
> ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
> ecc_swap_digits(private_key, priv, ndigits);
> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
> ecc_free_point(product);
> err_alloc_product:
> ecc_free_point(pk);
> +kfree_out:
> + kfree(priv);
I think we should use kzfree here.
> + kfree(rand_z);
Probably here too. Looks like there are few intermediate buffers in ecc
that should be zeroized as well.
Best,
ta
> out:
> return ret;
> }
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
2018-03-08 9:43 ` Tudor Ambarus
@ 2018-03-08 21:55 ` Kees Cook
2018-03-09 8:21 ` Tudor Ambarus
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-03-08 21:55 UTC (permalink / raw)
To: Tudor Ambarus
Cc: Herbert Xu, LKML, David S. Miller, linux-crypto, Kernel Hardening
On Thu, Mar 8, 2018 at 1:43 AM, Tudor Ambarus
<tudor.ambarus@microchip.com> wrote:
> Hi, Kees,
>
>
> On 03/07/2018 11:56 PM, Kees Cook wrote:
>>
>> On the quest to remove all VLAs from the kernel[1], this switches to
>> a pair of kmalloc regions instead of using the stack. This also moves
>> the get_random_bytes() after all allocations (and drops the needless
>> "nbytes" variable).
>>
>> [1] https://lkml.org/lkml/2018/3/7/621
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> crypto/ecc.c | 23 +++++++++++++++++------
>> 1 file changed, 17 insertions(+), 6 deletions(-)
>>
>> diff --git a/crypto/ecc.c b/crypto/ecc.c
>> index 18f32f2a5e1c..5bfa63603da0 100644
>> --- a/crypto/ecc.c
>> +++ b/crypto/ecc.c
>> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> {
>> int ret = 0;
>> struct ecc_point *product, *pk;
>> - u64 priv[ndigits];
>> - u64 rand_z[ndigits];
>> - unsigned int nbytes;
>> + u64 *priv, *rand_z;
>> const struct ecc_curve *curve = ecc_get_curve(curve_id);
>> if (!private_key || !public_key || !curve) {
>> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int
>> curve_id, unsigned int ndigits,
>> goto out;
>> }
>> - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
>> + priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
>> + if (!priv) {
>> + ret = -ENOMEM;
>> + goto out;
>> + }
>> - get_random_bytes(rand_z, nbytes);
>> + rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
>> + if (!rand_z) {
>> + ret = -ENOMEM;
>> + goto kfree_out;
>> + }
>> pk = ecc_alloc_point(ndigits);
>> if (!pk) {
>> ret = -ENOMEM;
>> - goto out;
>> + goto kfree_out;
>> }
>> product = ecc_alloc_point(ndigits);
>> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> goto err_alloc_product;
>> }
>> + get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
>> +
>> ecc_swap_digits(public_key, pk->x, ndigits);
>> ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
>> ecc_swap_digits(private_key, priv, ndigits);
>> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> ecc_free_point(product);
>> err_alloc_product:
>> ecc_free_point(pk);
>> +kfree_out:
>> + kfree(priv);
>
>
> I think we should use kzfree here.
>
>> + kfree(rand_z);
>
>
> Probably here too.
Ah yeah, good idea. I'll send a v2.
> Looks like there are few intermediate buffers in ecc
> that should be zeroized as well.
Can you send a patch for those?
Thanks!
-Kees
>
> Best,
> ta
>>
>> out:
>> return ret;
>> }
>>
>
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
2018-03-08 21:55 ` Kees Cook
@ 2018-03-09 8:21 ` Tudor Ambarus
0 siblings, 0 replies; 4+ messages in thread
From: Tudor Ambarus @ 2018-03-09 8:21 UTC (permalink / raw)
To: Kees Cook
Cc: Herbert Xu, LKML, David S. Miller, linux-crypto, Kernel Hardening
On 03/08/2018 11:55 PM, Kees Cook wrote:
>> Looks like there are few intermediate buffers in ecc
>> that should be zeroized as well.
> Can you send a patch for those?
Yeah, I'll take a look.
Best,
ta
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-09 8:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-07 21:56 [PATCH] crypto/ecc: Remove stack VLA usage Kees Cook
2018-03-08 9:43 ` Tudor Ambarus
2018-03-08 21:55 ` Kees Cook
2018-03-09 8:21 ` Tudor Ambarus
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).