On Wed, Jun 20, 2018 at 4:40 PM, Eric Biggers <ebiggers3@xxxxxxxxx> wrote: > On Wed, Jun 20, 2018 at 12:04:02PM -0700, Kees Cook wrote: >> In the quest to remove all stack VLA usage from the kernel[1], this >> exposes the existing upper bound on crypto block sizes for VLA removal, >> and introduces a new check for alignmask (current maximum in the kernel >> is 63 from manual inspection of all cra_alignmask settings). >> >> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@xxxxxxxxxxxxxx >> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> --- >> crypto/algapi.c | 5 ++++- >> include/linux/crypto.h | 4 ++++ >> 2 files changed, 8 insertions(+), 1 deletion(-) >> >> diff --git a/crypto/algapi.c b/crypto/algapi.c >> index c0755cf4f53f..760a412b059c 100644 >> --- a/crypto/algapi.c >> +++ b/crypto/algapi.c >> @@ -57,7 +57,10 @@ static int crypto_check_alg(struct crypto_alg *alg) >> if (alg->cra_alignmask & (alg->cra_alignmask + 1)) >> return -EINVAL; >> >> - if (alg->cra_blocksize > PAGE_SIZE / 8) >> + if (alg->cra_blocksize > CRYPTO_ALG_MAX_BLOCKSIZE) >> + return -EINVAL; >> + >> + if (alg->cra_alignmask > CRYPTO_ALG_MAX_ALIGNMASK) >> return -EINVAL; >> >> if (!alg->cra_type && (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) == >> diff --git a/include/linux/crypto.h b/include/linux/crypto.h >> index 6eb06101089f..e76ffcbd5aa6 100644 >> --- a/include/linux/crypto.h >> +++ b/include/linux/crypto.h >> @@ -134,6 +134,10 @@ >> */ >> #define CRYPTO_MAX_ALG_NAME 128 >> >> +/* Maximum values for registered algorithms. */ >> +#define CRYPTO_ALG_MAX_BLOCKSIZE (PAGE_SIZE / 8) >> +#define CRYPTO_ALG_MAX_ALIGNMASK 63 >> + > > How do these differ from MAX_CIPHER_BLOCKSIZE and MAX_CIPHER_ALIGNMASK, and why > are they declared in different places? This is what I get for staring at crypto code for so long. I entirely missed these checks... even though they're 8 line away: if (!alg->cra_type && (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) { if (alg->cra_alignmask > MAX_CIPHER_ALIGNMASK) return -EINVAL; if (alg->cra_blocksize > MAX_CIPHER_BLOCKSIZE) return -EINVAL; } However, this is only checking CRYPTO_ALG_TYPE_CIPHER, and cra_blocksize can be used for all kinds of things. include/crypto/algapi.h:#define MAX_CIPHER_ALIGNMASK 15 ... drivers/crypto/mxs-dcp.c: .cra_flags = CRYPTO_ALG_ASYNC, drivers/crypto/mxs-dcp.c: .cra_alignmask = 63, Is this one broken? It has no CRYPTO_ALG_TYPE_... ? For my CRYPTO_ALG_MAX_BLOCKSIZE, there is: crypto/xcbc.c: u8 key1[CRYPTO_ALG_MAX_BLOCKSIZE]; drivers/crypto/qat/qat_common/qat_algs.c: char ipad[CRYPTO_ALG_MAX_BLOCKSIZE]; drivers/crypto/qat/qat_common/qat_algs.c: char opad[CRYPTO_ALG_MAX_BLOCKSIZE]; It looks like both xcbc and qat are used with shash, so that needs a separate max blocksize. For my CRYPTO_ALG_MAX_ALIGNMASK, there is: crypto/shash.c: u8 ubuf[CRYPTO_ALG_MAX_ALIGNMASK] crypto/shash.c: __aligned(CRYPTO_ALG_MAX_ALIGNMASK + 1); crypto/shash.c: __aligned(CRYPTO_ALG_MAX_ALIGNMASK + 1); which is also shash. How should I rename these and best apply the registration-time sanity checks? -Kees -- Kees Cook Pixel Security