subject:"\[PATCH\] crypto\/ecc\: Remove stack VLA usage"

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-09 Thread Tudor Ambarus




On 03/08/2018 11:55 PM, Kees Cook wrote:

Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Can you send a patch for those?


Yeah, I'll take a look.

Best,
ta

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-09 Thread Tudor Ambarus




On 03/08/2018 11:55 PM, Kees Cook wrote:

Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Can you send a patch for those?


Yeah, I'll take a look.

Best,
ta

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-08 Thread Kees Cook

On Thu, Mar 8, 2018 at 1:43 AM, Tudor Ambarus
 wrote:
> Hi, Kees,
>
>
> On 03/07/2018 11:56 PM, Kees Cook wrote:
>>
>> On the quest to remove all VLAs from the kernel[1], this switches to
>> a pair of kmalloc regions instead of using the stack. This also moves
>> the get_random_bytes() after all allocations (and drops the needless
>> "nbytes" variable).
>>
>> [1] https://lkml.org/lkml/2018/3/7/621
>>
>> Signed-off-by: Kees Cook 
>> ---
>>   crypto/ecc.c | 23 +--
>>   1 file changed, 17 insertions(+), 6 deletions(-)
>>
>> diff --git a/crypto/ecc.c b/crypto/ecc.c
>> index 18f32f2a5e1c..5bfa63603da0 100644
>> --- a/crypto/ecc.c
>> +++ b/crypto/ecc.c
>> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>>   {
>> int ret = 0;
>> struct ecc_point *product, *pk;
>> -   u64 priv[ndigits];
>> -   u64 rand_z[ndigits];
>> -   unsigned int nbytes;
>> +   u64 *priv, *rand_z;
>> const struct ecc_curve *curve = ecc_get_curve(curve_id);
>> if (!private_key || !public_key || !curve) {
>> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int
>> curve_id, unsigned int ndigits,
>> goto out;
>> }
>>   - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
>> +   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
>> +   if (!priv) {
>> +   ret = -ENOMEM;
>> +   goto out;
>> +   }
>>   - get_random_bytes(rand_z, nbytes);
>> +   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
>> +   if (!rand_z) {
>> +   ret = -ENOMEM;
>> +   goto kfree_out;
>> +   }
>> pk = ecc_alloc_point(ndigits);
>> if (!pk) {
>> ret = -ENOMEM;
>> -   goto out;
>> +   goto kfree_out;
>> }
>> product = ecc_alloc_point(ndigits);
>> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> goto err_alloc_product;
>> }
>>   + get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
>> +
>> ecc_swap_digits(public_key, pk->x, ndigits);
>> ecc_swap_digits(_key[ndigits], pk->y, ndigits);
>> ecc_swap_digits(private_key, priv, ndigits);
>> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> ecc_free_point(product);
>>   err_alloc_product:
>> ecc_free_point(pk);
>> +kfree_out:
>> +   kfree(priv);
>
>
> I think we should use kzfree here.
>
>> +   kfree(rand_z);
>
>
> Probably here too.

Ah yeah, good idea. I'll send a v2.

> Looks like there are few intermediate buffers in ecc
> that should be zeroized as well.

Can you send a patch for those?

Thanks!

-Kees

>
> Best,
> ta
>>
>>   out:
>> return ret;
>>   }
>>
>



-- 
Kees Cook
Pixel Security

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-08 Thread Kees Cook

On Thu, Mar 8, 2018 at 1:43 AM, Tudor Ambarus
 wrote:
> Hi, Kees,
>
>
> On 03/07/2018 11:56 PM, Kees Cook wrote:
>>
>> On the quest to remove all VLAs from the kernel[1], this switches to
>> a pair of kmalloc regions instead of using the stack. This also moves
>> the get_random_bytes() after all allocations (and drops the needless
>> "nbytes" variable).
>>
>> [1] https://lkml.org/lkml/2018/3/7/621
>>
>> Signed-off-by: Kees Cook 
>> ---
>>   crypto/ecc.c | 23 +--
>>   1 file changed, 17 insertions(+), 6 deletions(-)
>>
>> diff --git a/crypto/ecc.c b/crypto/ecc.c
>> index 18f32f2a5e1c..5bfa63603da0 100644
>> --- a/crypto/ecc.c
>> +++ b/crypto/ecc.c
>> @@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>>   {
>> int ret = 0;
>> struct ecc_point *product, *pk;
>> -   u64 priv[ndigits];
>> -   u64 rand_z[ndigits];
>> -   unsigned int nbytes;
>> +   u64 *priv, *rand_z;
>> const struct ecc_curve *curve = ecc_get_curve(curve_id);
>> if (!private_key || !public_key || !curve) {
>> @@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int
>> curve_id, unsigned int ndigits,
>> goto out;
>> }
>>   - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
>> +   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
>> +   if (!priv) {
>> +   ret = -ENOMEM;
>> +   goto out;
>> +   }
>>   - get_random_bytes(rand_z, nbytes);
>> +   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
>> +   if (!rand_z) {
>> +   ret = -ENOMEM;
>> +   goto kfree_out;
>> +   }
>> pk = ecc_alloc_point(ndigits);
>> if (!pk) {
>> ret = -ENOMEM;
>> -   goto out;
>> +   goto kfree_out;
>> }
>> product = ecc_alloc_point(ndigits);
>> @@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> goto err_alloc_product;
>> }
>>   + get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
>> +
>> ecc_swap_digits(public_key, pk->x, ndigits);
>> ecc_swap_digits(_key[ndigits], pk->y, ndigits);
>> ecc_swap_digits(private_key, priv, ndigits);
>> @@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id,
>> unsigned int ndigits,
>> ecc_free_point(product);
>>   err_alloc_product:
>> ecc_free_point(pk);
>> +kfree_out:
>> +   kfree(priv);
>
>
> I think we should use kzfree here.
>
>> +   kfree(rand_z);
>
>
> Probably here too.

Ah yeah, good idea. I'll send a v2.

> Looks like there are few intermediate buffers in ecc
> that should be zeroized as well.

Can you send a patch for those?

Thanks!

-Kees

>
> Best,
> ta
>>
>>   out:
>> return ret;
>>   }
>>
>



-- 
Kees Cook
Pixel Security

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-08 Thread Tudor Ambarus


Hi, Kees,

On 03/07/2018 11:56 PM, Kees Cook wrote:

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook 
---
  crypto/ecc.c | 23 +--
  1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
  {
int ret = 0;
struct ecc_point *product, *pk;
-   u64 priv[ndigits];
-   u64 rand_z[ndigits];
-   unsigned int nbytes;
+   u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
  
  	if (!private_key || !public_key || !curve) {

@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto out;
}
  
-	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;

+   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+   if (!priv) {
+   ret = -ENOMEM;
+   goto out;
+   }
  
-	get_random_bytes(rand_z, nbytes);

+   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+   if (!rand_z) {
+   ret = -ENOMEM;
+   goto kfree_out;
+   }
  
  	pk = ecc_alloc_point(ndigits);

if (!pk) {
ret = -ENOMEM;
-   goto out;
+   goto kfree_out;
}
  
  	product = ecc_alloc_point(ndigits);

@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto err_alloc_product;
}
  
+	get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);

+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
ecc_free_point(product);
  err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+   kfree(priv);


I think we should use kzfree here.


+   kfree(rand_z);


Probably here too. Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Best,
ta

  out:
return ret;
  }

Re: [PATCH] crypto/ecc: Remove stack VLA usage

2018-03-08 Thread Tudor Ambarus


Hi, Kees,

On 03/07/2018 11:56 PM, Kees Cook wrote:

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook 
---
  crypto/ecc.c | 23 +--
  1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
  {
int ret = 0;
struct ecc_point *product, *pk;
-   u64 priv[ndigits];
-   u64 rand_z[ndigits];
-   unsigned int nbytes;
+   u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
  
  	if (!private_key || !public_key || !curve) {

@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto out;
}
  
-	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;

+   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+   if (!priv) {
+   ret = -ENOMEM;
+   goto out;
+   }
  
-	get_random_bytes(rand_z, nbytes);

+   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+   if (!rand_z) {
+   ret = -ENOMEM;
+   goto kfree_out;
+   }
  
  	pk = ecc_alloc_point(ndigits);

if (!pk) {
ret = -ENOMEM;
-   goto out;
+   goto kfree_out;
}
  
  	product = ecc_alloc_point(ndigits);

@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto err_alloc_product;
}
  
+	get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);

+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
ecc_free_point(product);
  err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+   kfree(priv);


I think we should use kzfree here.


+   kfree(rand_z);


Probably here too. Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Best,
ta

  out:
return ret;
  }

[PATCH] crypto/ecc: Remove stack VLA usage

2018-03-07 Thread Kees Cook

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook 
---
 crypto/ecc.c | 23 +--
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
 {
int ret = 0;
struct ecc_point *product, *pk;
-   u64 priv[ndigits];
-   u64 rand_z[ndigits];
-   unsigned int nbytes;
+   u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
 
if (!private_key || !public_key || !curve) {
@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto out;
}
 
-   nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+   if (!priv) {
+   ret = -ENOMEM;
+   goto out;
+   }
 
-   get_random_bytes(rand_z, nbytes);
+   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+   if (!rand_z) {
+   ret = -ENOMEM;
+   goto kfree_out;
+   }
 
pk = ecc_alloc_point(ndigits);
if (!pk) {
ret = -ENOMEM;
-   goto out;
+   goto kfree_out;
}
 
product = ecc_alloc_point(ndigits);
@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto err_alloc_product;
}
 
+   get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
ecc_free_point(product);
 err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+   kfree(priv);
+   kfree(rand_z);
 out:
return ret;
 }
-- 
2.7.4


-- 
Kees Cook
Pixel Security

[PATCH] crypto/ecc: Remove stack VLA usage

2018-03-07 Thread Kees Cook

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook 
---
 crypto/ecc.c | 23 +--
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
 {
int ret = 0;
struct ecc_point *product, *pk;
-   u64 priv[ndigits];
-   u64 rand_z[ndigits];
-   unsigned int nbytes;
+   u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
 
if (!private_key || !public_key || !curve) {
@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto out;
}
 
-   nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+   priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+   if (!priv) {
+   ret = -ENOMEM;
+   goto out;
+   }
 
-   get_random_bytes(rand_z, nbytes);
+   rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+   if (!rand_z) {
+   ret = -ENOMEM;
+   goto kfree_out;
+   }
 
pk = ecc_alloc_point(ndigits);
if (!pk) {
ret = -ENOMEM;
-   goto out;
+   goto kfree_out;
}
 
product = ecc_alloc_point(ndigits);
@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
goto err_alloc_product;
}
 
+   get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, 
unsigned int ndigits,
ecc_free_point(product);
 err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+   kfree(priv);
+   kfree(rand_z);
 out:
return ret;
 }
-- 
2.7.4


-- 
Kees Cook
Pixel Security

Re: [PATCH] crypto/ecc: Remove stack VLA usage

Re: [PATCH] crypto/ecc: Remove stack VLA usage

Re: [PATCH] crypto/ecc: Remove stack VLA usage

Re: [PATCH] crypto/ecc: Remove stack VLA usage

Re: [PATCH] crypto/ecc: Remove stack VLA usage

Re: [PATCH] crypto/ecc: Remove stack VLA usage

[PATCH] crypto/ecc: Remove stack VLA usage

[PATCH] crypto/ecc: Remove stack VLA usage

8 matches

Site Navigation

Mail list logo

Footer information