On Tue, Jun 26, 2018 at 2:20 AM, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > On Mon, Jun 25, 2018 at 02:10:26PM -0700, Kees Cook wrote: >> In the quest to remove all stack VLA usage from the kernel[1], this >> caps the skcipher request size similar to other limits and adds a >> sanity check at registration. In a manual review of the callers of >> crypto_skcipher_set_reqsize(), the largest was 384: >> >> 4 sun4i_cipher_req_ctx >> 6 safexcel_cipher_req >> 8 cryptd_skcipher_request_ctx >> 80 cipher_req_ctx >> 80 skcipher_request >> 96 crypto_rfc3686_req_ctx >> 104 nitrox_kcrypt_request >> 144 mv_cesa_skcipher_std_req >> 384 rctx >> >> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@xxxxxxxxxxxxxx >> >> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> >> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> >> Cc: linux-crypto@xxxxxxxxxxxxxxx >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > > This has the same issue as the ahash reqsize patch. Which are likely to be wrapped together? Should I take this to 512 or something else? -Kees -- Kees Cook Pixel Security