Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp634215img; Fri, 22 Mar 2019 05:35:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6o1adhRntVb8wYHVtpLQ7mjHFbBN3sLTriyR4kDxb6c/gNgaHnM0Et2QdE2LPteS0E07b X-Received: by 2002:a17:902:1e6:: with SMTP id b93mr9248822plb.325.1553258137844; Fri, 22 Mar 2019 05:35:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553258137; cv=none; d=google.com; s=arc-20160816; b=qi9qXBKXNC3RNw65FwWH56eY/SwD9EDBhW3XfVSRIagEFBfjk9pDZALC6FR3G16ZYG aCY+7e6WI/GTan3WDTviEo23PsDNembF2FhvfJEGZPLmAizbMBIT7reJS4BQeLrMy1+I x0yJI9BG/ZpzQL4Xc6nU88xa2q/kvtwWB8vgj4NO36YDZ1f9ube9rWDq6M64Cvwc6JZ2 qj06OWshE7D6WyOoVDtR9UlBRnnuB78lk+ENjFUSU3yYq/z5eP02yjFCZYv9jOwFCEbl DX8BSv/6kMtNwfy2YS9GirVmc+CLATtOZxVHckCVgC9id9k7Hih8S0HnsYi7cZPOXSSL /hqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fV+dzNaqEgP2rGPYVd5f2tTfUlwP8TrNhTprrBydNhY=; b=IWLUAuBC2AXURZQWFmxIbWOUL/+9pFvCsgZK4yBpb8AZkncveKGjskAVdt7Uyg1akX 5Iha1huVZdabo5rjmk1mKbvADCp99KQMavpe8SJhgK4gRzkyhb5UilkogiQUXqAtVfHL z4O7gc8bXAlPkgw6aXWG2SZG5fK85EMpPHPP8Wl2cQhjSiVYvozvHYySDyFHJlgz/JSB Ft7r+fPweMY7OONsKV9gdEmP6f2huCrjOTFjzz5EE6yXaIY+CA09JmKf0YYhcqicRpDP RWfd9LX56H/NMm7QCp9iu5BAM+LX9bt5EbjMlgQ5JkiMvrNcPlHty12g8ILvSLkq7pi7 gCpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yfYyKd2m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q13si6578277pfi.208.2019.03.22.05.35.22; Fri, 22 Mar 2019 05:35:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yfYyKd2m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389815AbfCVMeh (ORCPT + 99 others); Fri, 22 Mar 2019 08:34:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:51532 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389206AbfCVMNR (ORCPT ); Fri, 22 Mar 2019 08:13:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A76F720830; Fri, 22 Mar 2019 12:13:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553256796; bh=zPYD99z93EwdlKO/Dp5menfrQKWc6lMz+R1YQBC9gBY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yfYyKd2mHHGNfGml+bsMkTOHyjXfmFKWhv3kmc7KINWmKh4Tfclqx784sHryOQHS3 IiPuAeEviHVocZTO0qj5QAuXAMFi6gWaotLct7MJZGjs/k3Ye98W2+f0Qq58C8hW1O BFyPQedZ/2jxCHjv46wZZXtHGHHUAo7r8K2EWSI4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ard Biesheuvel , Eric Biggers , Herbert Xu Subject: [PATCH 5.0 039/238] crypto: arm64/aes-neonbs - fix returning final keystream block Date: Fri, 22 Mar 2019 12:14:18 +0100 Message-Id: <20190322111300.687588385@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111258.383569278@linuxfoundation.org> References: <20190322111258.383569278@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 12455e320e19e9cc7ad97f4ab89c280fe297387c upstream. The arm64 NEON bit-sliced implementation of AES-CTR fails the improved skcipher tests because it sometimes produces the wrong ciphertext. The bug is that the final keystream block isn't returned from the assembly code when the number of non-final blocks is zero. This can happen if the input data ends a few bytes after a page boundary. In this case the last bytes get "encrypted" by XOR'ing them with uninitialized memory. Fix the assembly code to return the final keystream block when needed. Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block") Cc: # v4.11+ Reviewed-by: Ard Biesheuvel Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- arch/arm64/crypto/aes-neonbs-core.S | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/arch/arm64/crypto/aes-neonbs-core.S +++ b/arch/arm64/crypto/aes-neonbs-core.S @@ -971,18 +971,22 @@ CPU_LE( rev x8, x8 ) 8: next_ctr v0 st1 {v0.16b}, [x24] - cbz x23, 0f + cbz x23, .Lctr_done cond_yield_neon 98b b 99b -0: frame_pop +.Lctr_done: + frame_pop ret /* * If we are handling the tail of the input (x6 != NULL), return the * final keystream block back to the caller. */ +0: cbz x25, 8b + st1 {v0.16b}, [x25] + b 8b 1: cbz x25, 8b st1 {v1.16b}, [x25] b 8b