Re: [PATCH] crypto/ecc: Remove stack VLA usage

From: Tudor Ambarus
Date: Thu Mar 08 2018 - 04:43:59 EST

Next message: Sebastian Reichel: "Re: [PATCHv5 3/5] mfd: motorola-cpcap: Add audio-codec support"
Previous message: Jerome Brunet: "Re: [PATCH] clk: fix phase reported being zero"
Next in thread: Kees Cook: "Re: [PATCH] crypto/ecc: Remove stack VLA usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Kees,

On 03/07/2018 11:56 PM, Kees Cook wrote:

On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).

[1] https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
crypto/ecc.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c..5bfa63603da0 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1025,9 +1025,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
{
int ret = 0;
struct ecc_point *product, *pk;
- u64 priv[ndigits];
- u64 rand_z[ndigits];
- unsigned int nbytes;
+ u64 *priv, *rand_z;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
if (!private_key || !public_key || !curve) {
@@ -1035,14 +1033,22 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
goto out;
}
- nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+ priv = kmalloc_array(ndigits, sizeof(*priv), GFP_KERNEL);
+ if (!priv) {
+ ret = -ENOMEM;
+ goto out;
+ }
- get_random_bytes(rand_z, nbytes);
+ rand_z = kmalloc_array(ndigits, sizeof(*rand_z), GFP_KERNEL);
+ if (!rand_z) {
+ ret = -ENOMEM;
+ goto kfree_out;
+ }
pk = ecc_alloc_point(ndigits);
if (!pk) {
ret = -ENOMEM;
- goto out;
+ goto kfree_out;
}
product = ecc_alloc_point(ndigits);
@@ -1051,6 +1057,8 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
goto err_alloc_product;
}
+ get_random_bytes(rand_z, ndigits << ECC_DIGITS_TO_BYTES_SHIFT);
+
ecc_swap_digits(public_key, pk->x, ndigits);
ecc_swap_digits(&public_key[ndigits], pk->y, ndigits);
ecc_swap_digits(private_key, priv, ndigits);
@@ -1065,6 +1073,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
ecc_free_point(product);
err_alloc_product:
ecc_free_point(pk);
+kfree_out:
+ kfree(priv);

I think we should use kzfree here.

+ kfree(rand_z);

Probably here too. Looks like there are few intermediate buffers in ecc
that should be zeroized as well.

Best,
ta

out:
return ret;
}

Next message: Sebastian Reichel: "Re: [PATCHv5 3/5] mfd: motorola-cpcap: Add audio-codec support"
Previous message: Jerome Brunet: "Re: [PATCH] clk: fix phase reported being zero"
Next in thread: Kees Cook: "Re: [PATCH] crypto/ecc: Remove stack VLA usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]