On Wed, Jun 20, 2018 at 12:44 PM, Arnd Bergmann <a...@arndb.de> wrote: > On Wed, Jun 20, 2018 at 9:04 PM, Kees Cook <keesc...@chromium.org> wrote: >> In the quest to remove all stack VLA usage from the kernel[1], this >> caps the skcipher request size similar to other limits and adds a sanity >> check at registration. >> >> >> +#define SKCIPHER_MAX_REQSIZE (PAGE_SIZE / 8) >> + >> #define SKCIPHER_REQUEST_ON_STACK(name, tfm) \ >> char __##name##_desc[sizeof(struct skcipher_request) + \ >> - crypto_skcipher_reqsize(tfm)] CRYPTO_MINALIGN_ATTR; \ >> + SKCIPHER_MAX_REQSIZE] CRYPTO_MINALIGN_ATTR; \ >> struct skcipher_request *name = (void *)__##name##_desc >> > > This is probably a bad idea on kernels with large values of PAGE_SIZE. > Some users on ppc64 and arm64 use 64KB here, but still limit > the per-function stack size to 2KB.
We could make all of these PAGE_SIZE-related limits explicitly 512? I think that was the intent originally. -Kees -- Kees Cook Pixel Security -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
