Re: [PATCH] ima: dynamically allocate shash_desc
From: Arnd Bergmann
Date: Tue Jun 18 2019 - 14:12:09 EST
On Tue, Jun 18, 2019 at 3:55 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> > On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > >
> > > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > > building with clang.
> > > > >
> > > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > > Wframe-larger-than=]
> > > >
> > > > I'm definitely not seeing this. Is this problem a result of non
> > > > upstreamed patches? For sha1, currently the only possible hash
> > > > algorithm, I'm seeing 664.
> > You won't see it with gcc, only with clang in some randconfig builds,
> > I suppose only when KASAN is enabled.
> > > Every time a measurement is added to the measurement list, the memory
> > > would be allocated/freed. The frequency of new measurements is policy
> > > dependent. For performance reasons, I'd prefer if the allocation
> > > remains on the stack.
> > Is there a way to preallocate the shash_desc instead? That would
> > avoid the overhead.
> There are 3 other SHASH_DESC_ON_STACK definitions in just
> ima_crypto.c, with a total of ~55 other places in the kernel. Before
> fixing this particular function, I'd like to know if the "excessive
> stack usage" warning is limited to ima_calc_field_array_hash_tfm().
> If so, what is so special about its usage of SHASH_DESC_ON_STACK?
SHASH_DESC_ON_STACK() uses at least 512 bytes of stack
everywhere, which is half of the warning limit for a function on
32 bit kernels.
With KASAN, a small redzone is put around it so we can detect out
of bounds access to a variable that is passed by reference.
clang makes that buffer larger than gcc, so we end up with something
like 768 bytes for each instance of SHASH_DESC_ON_STACK().
Most other users still stay below the 1024 byte warning level though,
because typical functions only use a few bytes of stack space.
In case of ima_calc_field_array_hash_tfm(), the is also the buffer
array of 255 bytes that gets another large redzone.
I fixed up all the (randconfig) warnings I get for arm32, arm64 and
x86 kernels, and I think there were four to five that were because of
SHASH_DESC_ON_STACK(). It might make sense to convert all
three instances in ima to preallocate the descriptor if we do it for
one of them, even when it's not actually needed.