From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85A8FC4708D for ; Fri, 9 Dec 2022 14:16:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229942AbiLIOQi (ORCPT ); Fri, 9 Dec 2022 09:16:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230014AbiLIOQQ (ORCPT ); Fri, 9 Dec 2022 09:16:16 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69916DF9; Fri, 9 Dec 2022 06:15:45 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.227]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4NTCYF4PwGz9v7Gd; Fri, 9 Dec 2022 22:08:33 +0800 (CST) Received: from roberto-ThinkStation-P620 (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwAHpXHuQpNjVynSAA--.22221S2; Fri, 09 Dec 2022 15:15:20 +0100 (CET) Message-ID: <3f1c74f320a288b6581241fc3039103cbcee7b27.camel@huaweicloud.com> Subject: Re: [PATCH] KEYS: asymmetric: Make a copy of sig and digest in vmalloced stack From: Roberto Sassu To: Eric Biggers Cc: dhowells@redhat.com, herbert@gondor.apana.org.au, davem@davemloft.net, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu , stable@vger.kernel.org Date: Fri, 09 Dec 2022 15:15:06 +0100 In-Reply-To: References: <20221208164610.867747-1-roberto.sassu@huaweicloud.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-CM-TRANSID: LxC2BwAHpXHuQpNjVynSAA--.22221S2 X-Coremail-Antispam: 1UD129KBjvJXoWxWF43AFyDtr4rJrWfur1Dtrb_yoW5CFyfpa 95Wr4DtFWUGr1UCr17C3W8Kw47Aw10kF129w4Fyw15Crn8ZryxC3y0kr45WFyfJrWkXFyI yrW8XwsxZFn8XaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkjb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a6rW5MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIE c7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UZ18PUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgABBF1jj4J5TAABsA X-CFilter-Loop: Reflected Precedence: bulk List-ID: On Thu, 2022-12-08 at 15:17 -0800, Eric Biggers wrote: > On Thu, Dec 08, 2022 at 05:46:10PM +0100, Roberto Sassu wrote: > > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > > index 2f8352e88860..307799ffbc3e 100644 > > --- a/crypto/asymmetric_keys/public_key.c > > +++ b/crypto/asymmetric_keys/public_key.c > > @@ -363,7 +363,8 @@ int public_key_verify_signature(const struct public_key *pkey, > > struct scatterlist src_sg[2]; > > char alg_name[CRYPTO_MAX_ALG_NAME]; > > char *key, *ptr; > > - int ret; > > + char *sig_s, *digest; > > + int ret, verif_bundle_len; > > > > pr_devel("==>%s()\n", __func__); > > > > @@ -400,8 +401,21 @@ int public_key_verify_signature(const struct public_key *pkey, > > if (!req) > > goto error_free_tfm; > > > > - key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, > > - GFP_KERNEL); > > + verif_bundle_len = pkey->keylen + sizeof(u32) * 2 + pkey->paramlen; > > + > > + sig_s = sig->s; > > + digest = sig->digest; > > + > > + if (IS_ENABLED(CONFIG_VMAP_STACK)) { > > + if (!virt_addr_valid(sig_s)) > > + verif_bundle_len += sig->s_size; > > + > > + if (!virt_addr_valid(digest)) > > + verif_bundle_len += sig->digest_size; > > + } > > + > > + /* key points to a buffer which could contain the sig and digest too. */ > > + key = kmalloc(verif_bundle_len, GFP_KERNEL); > > if (!key) > > goto error_free_req; > > > > @@ -424,9 +438,24 @@ int public_key_verify_signature(const struct public_key *pkey, > > goto error_free_key; > > } > > > > + if (IS_ENABLED(CONFIG_VMAP_STACK)) { > > + ptr += pkey->paramlen; > > + > > + if (!virt_addr_valid(sig_s)) { > > + sig_s = ptr; > > + memcpy(sig_s, sig->s, sig->s_size); > > + ptr += sig->s_size; > > + } > > + > > + if (!virt_addr_valid(digest)) { > > + digest = ptr; > > + memcpy(digest, sig->digest, sig->digest_size); > > + } > > + } > > + > > sg_init_table(src_sg, 2); > > - sg_set_buf(&src_sg[0], sig->s, sig->s_size); > > - sg_set_buf(&src_sg[1], sig->digest, sig->digest_size); > > + sg_set_buf(&src_sg[0], sig_s, sig->s_size); > > + sg_set_buf(&src_sg[1], digest, sig->digest_size); > > akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size, > > sig->digest_size); > > crypto_init_wait(&cwait); > > We should try to avoid adding error-prone special cases. How about just doing > the copy of the signature and digest unconditionally? That would be much > simpler. It would even mean that the scatterlist would only need one element. Took some time to figure out why Redzone was overwritten. There must be two separate scatterlists. If you set the first only with the sum of the key length and digest length, mpi_read_raw_from_sgl() called by rsa_enc() is going to write before the d pointer in MPI. for (x = 0; x < len; x++) { a <<= 8; a |= *buff++; if (((z + x + 1) % BYTES_PER_MPI_LIMB) == 0) { val->d[j--] = a; a = 0; } } Roberto > Also, the size of buffer needed is only > > max(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, > sig->s_size + sig->digest_size) > > ... since the signature and digest aren't needed until the key was already used. > > - Eric