Re: [PATCH] ima: dynamically allocate shash_desc

From: Arnd Bergmann <arnd@arndb.de>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Stefan Berger <stefanb@linux.vnet.ibm.com>,
	linux-integrity@vger.kernel.org,
	LSM List <linux-security-module@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: dynamically allocate shash_desc
Date: Tue, 18 Jun 2019 20:06:46 +0200	[thread overview]
Message-ID: <CAK8P3a0_7ocqJZHA5Zbkd4yvhQnczKJxiSrBjOUDCmzO4gAb2Q@mail.gmail.com> (raw)
In-Reply-To: <1560861878.9530.17.camel@linux.ibm.com>

On Tue, Jun 18, 2019 at 3:55 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> > On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > > building with clang.
> > > > >
> > > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > > Wframe-larger-than=]
> > > >
> > > > I'm definitely not seeing this.  Is this problem a result of non
> > > > upstreamed patches?  For sha1, currently the only possible hash
> > > > algorithm, I'm seeing 664.
> >
> > You won't see it with gcc, only with clang in some randconfig builds,
> > I suppose only when KASAN is enabled.
> >
> > > Every time a measurement is added to the measurement list, the memory
> > > would be allocated/freed.  The frequency of new measurements is policy
> > > dependent.  For performance reasons, I'd prefer if the allocation
> > > remains on the stack.
> >
> > Is there a way to preallocate the shash_desc instead? That would
> > avoid the overhead.
>
> There are 3 other SHASH_DESC_ON_STACK definitions in just
> ima_crypto.c, with a total of ~55 other places in the kernel.  Before
> fixing this particular function, I'd like to know if the "excessive
> stack usage" warning is limited to ima_calc_field_array_hash_tfm().
>  If so, what is so special about its usage of SHASH_DESC_ON_STACK?

SHASH_DESC_ON_STACK() uses at least 512 bytes of stack
everywhere, which is half of the warning limit for a function on
32 bit kernels.

With KASAN, a small redzone is put around it so we can detect out
of bounds access to a variable that is passed by reference.
clang makes that buffer larger than gcc, so we end up with something
like 768 bytes for each instance of SHASH_DESC_ON_STACK().

Most other users still stay below the 1024 byte warning level though,
because typical functions only use a few bytes of stack space.
In case of ima_calc_field_array_hash_tfm(), the is also the buffer[]
array of 255 bytes that gets another large redzone.

I fixed up all the (randconfig) warnings I get for arm32, arm64 and
x86 kernels, and I think there were four to five that were because of
SHASH_DESC_ON_STACK(). It might make sense to convert all
three instances in ima to preallocate the descriptor if we do it for
one of them, even when it's not actually needed.

     Arnd