From: Ard Biesheuvel <ardb@kernel.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
kernel test robot <lkp@intel.com>,
Peter Oberparleiter <oberpar@linux.ibm.com>,
Kees Cook <keescook@chromium.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
kbuild-all@lists.01.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: lib/crypto/chacha.c:65:1: warning: the frame size of 1604 bytes is larger than 1024 bytes
Date: Thu, 27 Aug 2020 10:42:08 +0200 [thread overview]
Message-ID: <CAMj1kXHhmAdHjK5avXOySw43khzft1g8p48jX7aTeTC0FvS7tQ@mail.gmail.com> (raw)
In-Reply-To: <CAK8P3a3tjv78arTj75eKk5zYUhrGkPYRDLiqv3WJJC=U+Jia0Q@mail.gmail.com>
On Thu, 27 Aug 2020 at 10:33, Arnd Bergmann <arnd@arndb.de> wrote:
>
> On Thu, Aug 27, 2020 at 10:10 AM Ard Biesheuvel <ardb@kernel.org> wrote:
> > On Thu, 27 Aug 2020 at 10:06, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > >
> > > On Thu, Aug 27, 2020 at 11:52:50AM +0800, kernel test robot wrote:
> > > >
> > > > First bad commit (maybe != root cause):
> > > >
> > > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > > > head: 15bc20c6af4ceee97a1f90b43c0e386643c071b4
> > > > commit: 5fb8ef25803ef33e2eb60b626435828b937bed75 crypto: chacha - move existing library code into lib/crypto
> > > > date: 9 months ago
> > > > config: i386-randconfig-r015-20200827 (attached as .config)
> > > > compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> > > > reproduce (this is a W=1 build):
> > > > git checkout 5fb8ef25803ef33e2eb60b626435828b937bed75
> > > > # save the attached .config to linux build tree
> > > > make W=1 ARCH=i386
> > > >
> > > > If you fix the issue, kindly add following tag as appropriate
> > > > Reported-by: kernel test robot <lkp@intel.com>
> > > >
> > > > All warnings (new ones prefixed by >>):
> > > >
> > > > lib/crypto/chacha.c: In function 'chacha_permute':
> > > > >> lib/crypto/chacha.c:65:1: warning: the frame size of 1604 bytes is larger than 1024 bytes [-Wframe-larger-than=]
> > > > 65 | }
> > > > | ^
> > >
> > > This doesn't happen with a normal configuration. To recreate
> > > this warning, you need to enable both GCOV_KERNEL and UBSAN.
> > >
> > > This is the minimal gcc command-line to recreate it:
> > >
> > > gcc -Wframe-larger-than=1024 -fprofile-arcs -fsanitize=object-size -c -O2 chacha.c
> > >
> > > If you take away either profile-arcs or sanitize=object-size then
> > > the problem goes away.
> > >
> > > Any suggestions?
> > >
> >
> > Is it really worth it to obsess about this? Special compiler
> > instrumentation simply leads to a larger stack footprint in many
> > cases, which is why we use a larger stack to begin with (at least we
> > do so for Kasan, so if we don't for Ubsan, we should consider it)
> >
> > Past experience also shows that this is highly dependent on the exact
> > compiler version, so issues like these are often moving targets.
>
> Yes, I do think it is important to address these in some form,
> for multiple reasons:
>
> * With the limited amount of stack space in normal uninstrumented
> kernels, I do think it is vital to have a fairly low default warning
> limit in order to catch all cases that do something dangerously
> stupid, either because of code bugs or compiler bugs.
>
> * I also think we do want the warning enabled in other configurations,
> in particular because the compiler tends to make increasingly stupid
> decisions when combining less common instrumentations, which
> again can lead to instant exploitable bugs, e.g. when a function's
> stack frame grows beyond the total stack size. In many cases the
> gcc and clang developers are both able to address these quickly
> when we send a good bug report (which unfortunately can be a lot of
> work).
>
> * The crypto cipher code unfortunately is particularly prone to running
> into these issues because each new compiler version tries to
> find more clever tricks to optimize code that in turn implements
> an algorithm that intentionally tries to not have any clever shortcuts.
> In many cases the stack size warning that we see in some
> configurations is an indicator for the compiler running into a false
> optimization even on the non-instrumented code that leads to lower
> performance from unnecessary register spilling that should be
> avoided.
>
In that case, I suppose we should simply disable instrumentation for
chacha_permute()? It is a straight-forward arithmetic transformation
on a u32[16] array, where ubsan has limited value afaict.
next prev parent reply other threads:[~2020-08-27 8:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 3:52 lib/crypto/chacha.c:65:1: warning: the frame size of 1604 bytes is larger than 1024 bytes kernel test robot
2020-08-27 8:05 ` Herbert Xu
2020-08-27 8:10 ` Ard Biesheuvel
2020-08-27 8:24 ` Herbert Xu
2020-08-27 17:34 ` Linus Torvalds
2020-08-27 17:55 ` Linus Torvalds
2020-08-27 18:42 ` Kees Cook
2020-08-27 19:02 ` Linus Torvalds
2020-08-27 19:32 ` Kees Cook
2020-08-27 19:11 ` Arnd Bergmann
2020-08-27 19:34 ` Kees Cook
2020-08-27 20:08 ` Linus Torvalds
2020-08-27 8:33 ` Arnd Bergmann
2020-08-27 8:42 ` Ard Biesheuvel [this message]
2020-08-27 9:19 ` Arnd Bergmann
2020-08-27 10:41 ` Ard Biesheuvel
2020-08-27 11:51 ` Herbert Xu
2020-08-27 16:25 ` Arnd Bergmann
2020-09-19 17:27 kernel test robot
2020-10-18 19:13 kernel test robot
2020-10-19 15:47 ` Joe Perches
2020-10-20 8:00 ` David Laight
2020-10-20 10:13 ` Joe Perches
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMj1kXHhmAdHjK5avXOySw43khzft1g8p48jX7aTeTC0FvS7tQ@mail.gmail.com \
--to=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=herbert@gondor.apana.org.au \
--cc=kbuild-all@lists.01.org \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oberpar@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).