From patchwork Tue Mar 13 04:29:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tycho Andersen <tycho@tycho.ws>
X-Patchwork-Id: 10277757
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	161A46038F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 13 Mar 2018 04:29:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D2C928C47
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 13 Mar 2018 04:29:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 10DE528D17; Tue, 13 Mar 2018 04:29:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D166D28C47
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 13 Mar 2018 04:29:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751466AbeCME3f (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 13 Mar 2018 00:29:35 -0400
Received: from mail-it0-f65.google.com ([209.85.214.65]:51928 "EHLO
	mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751457AbeCME3e (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 13 Mar 2018 00:29:34 -0400
Received: by mail-it0-f65.google.com with SMTP id u66so14031312ith.1
	for <linux-security-module@vger.kernel.org>;
	Mon, 12 Mar 2018 21:29:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=tycho-ws.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=3m64m4812TaCibAtDMzmJiivBFzUMendi6gNta4oOlM=;
	b=dX53qXgS9TcZ6CNNZmciKy75wBUsc2aH8yXs5PJpAtsRj+1PKO5d7luQh/0w0eoiE+
	y8nG5ZwngBgBpKMse1i1/a/wEJUF9fuYOTykSdEeG53nFBrARlLTxtR+5RKBDXWWFuhF
	EhtGtjBm+3wfVWW+O6JHg725/OpDYydua77GmkwqYhv8WgqcPPqtH5LWTHaC8ERMy6sp
	gbSfjobX0ybS/cbRGg394oPBDaxPhbgEFpVkDl8Xa+LaXty6J7f73YKTNfaKWHw0hSl1
	ImREio0UIv0h2qhwMm+FmLGxmxh07KNDpvgP9/PZm61RINVP5ehbVC3f8aWcjEhbBy+x
	iwmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=3m64m4812TaCibAtDMzmJiivBFzUMendi6gNta4oOlM=;
	b=I++nM5Bvf7+a8ytWTY6y9mL8vy5xyVgx1QHO20q2MMq1mhkByJ/pfxzYKZT6214NJh
	+EPyts/aY1YnmqERyCbZlfeVU9z2midKBOlbVZU0ugJ2JzJyW5fQao9G6bjyLzhB1Lk9
	1MpyxHKZo6DJgFFs6rWgbIJFYa/YgvCGrFWFHGCxMgMPPWL7ZirxNYWp4+AAZNElVg62
	DW8Lnl7YlToGj0Cy6qlYM7jhr3zoKiZOX/0/Er1vnighpDNym/OjC1mbG1ygfLpcCvwn
	wOgxA1chCMT+s+g583J9248hx6Rc/gAwoIDXI9hoZIMfyzDrilp6qwP5Ijs30/aUL7FX
	5h4w==
X-Gm-Message-State: AElRT7HE5PGq+d5uupfRkao71RVNFmVSiohA4aFyJzMFIPDgz0iVOPE7
	ZU7AoeeyWrVcvD+u0ojhpBlWfw==
X-Google-Smtp-Source: 
 AG47ELttJaW0CNOzxtcWdASOQ6gS30HF71ou4wrBR2zpBH8Ab0GBYzwiiO3+sY5KV7/LnBMFpVEqZw==
X-Received: by 10.36.46.22 with SMTP id i22mr10919635ita.59.1520915373317;
	Mon, 12 Mar 2018 21:29:33 -0700 (PDT)
Received: from localhost.localdomain ([8.24.24.129])
	by smtp.gmail.com with ESMTPSA id
	z67sm6279356ioz.37.2018.03.12.21.29.32
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 12 Mar 2018 21:29:32 -0700 (PDT)
From: Tycho Andersen <tycho@tycho.ws>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
	Tycho Andersen <tycho@tycho.ws>, James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Jason A . Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH 1/2] big key: get rid of stack array allocation
Date: Mon, 12 Mar 2018 22:29:06 -0600
Message-Id: <20180313042907.29598-1-tycho@tycho.ws>
X-Mailer: git-send-email 2.15.1
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

We're interested in getting rid of all of the stack allocated arrays in the
kernel [1]. This patch removes one in keys by switching to malloc/free.
Note that we use kzalloc, to avoid leaking the nonce. I'm not sure this is
really necessary, but extra paranoia seems prudent.

Manually tested using the program from the add_key man page to trigger
big_key.

[1]: https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
CC: David Howells <dhowells@redhat.com>
CC: James Morris <jmorris@namei.org>
CC: "Serge E. Hallyn" <serge@hallyn.com>
CC: Jason A. Donenfeld <Jason@zx2c4.com>
---
 security/keys/big_key.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/security/keys/big_key.c b/security/keys/big_key.c
index fa728f662a6f..70f9f785c59d 100644
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -108,13 +108,18 @@ static int big_key_crypt(enum big_key_op op, struct big_key_buf *buf, size_t dat
 	 * an .update function, so there's no chance we'll wind up reusing the
 	 * key to encrypt updated data. Simply put: one key, one encryption.
 	 */
-	u8 zero_nonce[crypto_aead_ivsize(big_key_aead)];
+	u8 *zero_nonce;
+
+	zero_nonce = kzalloc(crypto_aead_ivsize(big_key_aead), GFP_KERNEL);
+	if (!zero_nonce)
+		return -ENOMEM;
 
 	aead_req = aead_request_alloc(big_key_aead, GFP_KERNEL);
-	if (!aead_req)
+	if (!aead_req) {
+		kfree(zero_nonce);
 		return -ENOMEM;
+	}
 
-	memset(zero_nonce, 0, sizeof(zero_nonce));
 	aead_request_set_crypt(aead_req, buf->sg, buf->sg, datalen, zero_nonce);
 	aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 	aead_request_set_ad(aead_req, 0);
@@ -131,6 +136,7 @@ static int big_key_crypt(enum big_key_op op, struct big_key_buf *buf, size_t dat
 error:
 	mutex_unlock(&big_key_aead_lock);
 	aead_request_free(aead_req);
+	kzfree(zero_nonce);
 	return ret;
 }