linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] crypto/ecc: Remove stack VLA usage
@ 2018-03-07 21:56 Kees Cook
  2018-03-08  9:43 ` Tudor Ambarus
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-03-07 21:56 UTC (permalink / raw)
  To: Herbert Xu; +Cc: linux-kernel, David S. Miller, linux-crypto, kernel-hardening

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 crypto/ecc.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 {
 	int ret = 0;
 	struct ecc_point *product, *pk;
-	u64 priv[ndigits];
-	u64 rand_z[ndigits];
-	unsigned int nbytes;
+	u64 *priv, *rand_z;
 	const struct ecc_curve *curve = ecc_get_curve(curve_id);
 
 	if (!private_key || !public_key || !curve) {
@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 		goto out;
 	}
 
-	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+	priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+	if (!priv) {
+		ret = -ENOMEM;
+		goto out;
+	}
 
-	get_random_bytes(rand_z, nbytes);
+	rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+	if (!rand_z) {
+		ret = -ENOMEM;
+		goto kfree_out;
+	}
 
 	pk = ecc_alloc_point(ndigits);
 	if (!pk) {
 		ret = -ENOMEM;
-		goto out;
+		goto kfree_out;
 	}
 
 	product = ecc_alloc_point(ndigits);
@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 		goto err_alloc_product;
 	}
 
+	get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
+
 	ecc_swap_digits(public_key, pk->x, ndigits);
 	ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
 	ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 	ecc_free_point(product);
 err_alloc_product:
 	ecc_free_point(pk);
+kfree_out:
+	kfree(priv);
+	kfree(rand_z);
 out:
 	return ret;
 }
-- 
2.7.4


-- 
Kees Cook
Pixel Security

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
  2018-03-07 21:56 [PATCH] crypto/ecc: Remove stack VLA usage Kees Cook
@ 2018-03-08  9:43 ` Tudor Ambarus
  2018-03-08 21:55   ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Tudor Ambarus @ 2018-03-08  9:43 UTC (permalink / raw)
  To: Kees Cook, Herbert Xu
  Cc: linux-kernel, David S. Miller, linux-crypto, kernel-hardening

Hi, Kees,

On 03/07/2018 11:56 PM, Kees Cook wrote:
> On the quest to remove all VLAs from the kernel[1], this switches to
> a pair of kmalloc regions instead of using the stack. This also moves
> the get_random_bytes() after all allocations (and drops the needless
> "nbytes" variable).
> 
> [1] https://lkml.org/lkml/2018/3/7/621
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>   crypto/ecc.c | 23 +++++++++++++++++------
>   1 file changed, 17 insertions(+), 6 deletions(-)
> 
> diff --git a/crypto/ecc.c b/crypto/ecc.c
> index 18f32f2a5e1c..5bfa63603da0 100644
> --- a/crypto/ecc.c
> +++ b/crypto/ecc.c
> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>   {
>   	int ret = 0;
>   	struct ecc_point *product, *pk;
> -	u64 priv[ndigits];
> -	u64 rand_z[ndigits];
> -	unsigned int nbytes;
> +	u64 *priv, *rand_z;
>   	const struct ecc_curve *curve = ecc_get_curve(curve_id);
>   
>   	if (!private_key || !public_key || !curve) {
> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>   		goto out;
>   	}
>   
> -	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
> +	priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
> +	if (!priv) {
> +		ret = -ENOMEM;
> +		goto out;
> +	}
>   
> -	get_random_bytes(rand_z, nbytes);
> +	rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
> +	if (!rand_z) {
> +		ret = -ENOMEM;
> +		goto kfree_out;
> +	}
>   
>   	pk = ecc_alloc_point(ndigits);
>   	if (!pk) {
>   		ret = -ENOMEM;
> -		goto out;
> +		goto kfree_out;
>   	}
>   
>   	product = ecc_alloc_point(ndigits);
> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>   		goto err_alloc_product;
>   	}
>   
> +	get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
> +
>   	ecc_swap_digits(public_key, pk->x, ndigits);
>   	ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
>   	ecc_swap_digits(private_key, priv, ndigits);
> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>   	ecc_free_point(product);
>   err_alloc_product:
>   	ecc_free_point(pk);
> +kfree_out:
> +	kfree(priv);

I think we should use kzfree here.

> +	kfree(rand_z);

Probably here too. Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Best,
ta
>   out:
>   	return ret;
>   }
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
  2018-03-08  9:43 ` Tudor Ambarus
@ 2018-03-08 21:55   ` Kees Cook
  2018-03-09  8:21     ` Tudor Ambarus
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-03-08 21:55 UTC (permalink / raw)
  To: Tudor Ambarus
  Cc: Herbert Xu, LKML, David S. Miller, linux-crypto, Kernel Hardening

On Thu, Mar 8, 2018 at 1:43 AM, Tudor Ambarus
<tudor.ambarus@microchip.com> wrote:
> Hi, Kees,
>
>
> On 03/07/2018 11:56 PM, Kees Cook wrote:
>>
>> On the quest to remove all VLAs from the kernel[1], this switches to
>> a pair of kmalloc regions instead of using the stack. This also moves
>> the get_random_bytes() after all allocations (and drops the needless
>> "nbytes" variable).
>>
>> [1] https://lkml.org/lkml/2018/3/7/621
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>>   crypto/ecc.c | 23 +++++++++++++++++------
>>   1 file changed, 17 insertions(+), 6 deletions(-)
>>
>> diff --git a/crypto/ecc.c b/crypto/ecc.c
>> index 18f32f2a5e1c..5bfa63603da0 100644
>> --- a/crypto/ecc.c
>> +++ b/crypto/ecc.c
>> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>>   {
>>         int ret = 0;
>>         struct ecc_point *product, *pk;
>> -       u64 priv[ndigits];
>> -       u64 rand_z[ndigits];
>> -       unsigned int nbytes;
>> +       u64 *priv, *rand_z;
>>         const struct ecc_curve *curve = ecc_get_curve(curve_id);
>>         if (!private_key || !public_key || !curve) {
>> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int
>> curve_id, unsigned int ndigits,
>>                 goto out;
>>         }
>>   -     nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
>> +       priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
>> +       if (!priv) {
>> +               ret = -ENOMEM;
>> +               goto out;
>> +       }
>>   -     get_random_bytes(rand_z, nbytes);
>> +       rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
>> +       if (!rand_z) {
>> +               ret = -ENOMEM;
>> +               goto kfree_out;
>> +       }
>>         pk = ecc_alloc_point(ndigits);
>>         if (!pk) {
>>                 ret = -ENOMEM;
>> -               goto out;
>> +               goto kfree_out;
>>         }
>>         product = ecc_alloc_point(ndigits);
>> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>>                 goto err_alloc_product;
>>         }
>>   +     get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
>> +
>>         ecc_swap_digits(public_key, pk->x, ndigits);
>>         ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
>>         ecc_swap_digits(private_key, priv, ndigits);
>> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>>         ecc_free_point(product);
>>   err_alloc_product:
>>         ecc_free_point(pk);
>> +kfree_out:
>> +       kfree(priv);
>
>
> I think we should use kzfree here.
>
>> +       kfree(rand_z);
>
>
> Probably here too.

Ah yeah, good idea. I'll send a v2.

> Looks like there are few intermediate buffers in ecc
> that should be zeroized as well.

Can you send a patch for those?

Thanks!

-Kees

>
> Best,
> ta
>>
>>   out:
>>         return ret;
>>   }
>>
>



-- 
Kees Cook
Pixel Security

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] crypto/ecc: Remove stack VLA usage
  2018-03-08 21:55   ` Kees Cook
@ 2018-03-09  8:21     ` Tudor Ambarus
  0 siblings, 0 replies; 4+ messages in thread
From: Tudor Ambarus @ 2018-03-09  8:21 UTC (permalink / raw)
  To: Kees Cook
  Cc: Herbert Xu, LKML, David S. Miller, linux-crypto, Kernel Hardening



On 03/08/2018 11:55 PM, Kees Cook wrote:
>> Looks like there are few intermediate buffers in ecc
>> that should be zeroized as well.
> Can you send a patch for those?

Yeah, I'll take a look.

Best,
ta

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-09  8:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-07 21:56 [PATCH] crypto/ecc: Remove stack VLA usage Kees Cook
2018-03-08  9:43 ` Tudor Ambarus
2018-03-08 21:55   ` Kees Cook
2018-03-09  8:21     ` Tudor Ambarus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).