Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9981324ybi; Wed, 24 Jul 2019 13:29:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqzMCw8hL2QVJkBERAmNzvVJ8lsWCuX8dJ8g9do8sRgD2Y0nn0U+OEvKkjdUu3uggbfwNcp5 X-Received: by 2002:a17:902:3103:: with SMTP id w3mr89129284plb.84.1564000155620; Wed, 24 Jul 2019 13:29:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564000155; cv=none; d=google.com; s=arc-20160816; b=sq7AXCwLvvJ9FCr8i4uxH6t1RPKxdu6dPYCU4I8ELWUHolti9RKrgbkpRB0fLNL6Ih j5nAVDYi67U4stEK6OWIbJPuNQIZbRe0UYYfpCJ/CC48S/qxetMLV8iARmgGWr0Ycbo3 cNh0rZQotIL6X47+gT7HAyE5sQrVcjtuygI7dwCGqfwBdpaw5wcSNPxggPj/9fRuHGuM 2e4inXs/iteAMUcmzZnl+pabPxvQoqzWC5zfXxZK2cWbo9xa+BaOPQnJ0INhZnHIw1yn Vxl5jYM1a1bVVLASVM2+e3K3Gvfgtwugt922cP224a4kONw58sUwm+Tz69Mduc7qctB/ qPOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Pct7NfuGDq7vhKSr0qtgU4Wnhyv9WFWYyonMSAcdhGs=; b=sZJufYV+Alpotk03mF67C4RQxds+XfBWBE04MTu7ocTcM/w1L/3Mo++56Vs7/xK3tk 4qB8vyITm6wr1s0oJiMamb92i0Ya4rFIdP+0ora+hs6EWsUMTlXPHm0sVNFqDLAquJMY SMAym17LGx6MWERXHPf1NctkGyNEIbNi4Pny+yHIFWVuXrgkOGLOxhgnNMRFZbN4XCwH IuU20ZMyQPRV7XiPGgWJxUTHD7Hj7Zv3fcxJ06fapCjyC5BKDqJwa4bToFbPet4N1ArL f2IN88NSab63KJVJHwAqak7N+jku168nO7lNlML9cB38mC2HB8XMObc/iUYg8UhRrpvC xHzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="JzWkfbU/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u38si14852380pgl.507.2019.07.24.13.29.00; Wed, 24 Jul 2019 13:29:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="JzWkfbU/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389030AbfGXTfc (ORCPT + 99 others); Wed, 24 Jul 2019 15:35:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:60064 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389195AbfGXTfX (ORCPT ); Wed, 24 Jul 2019 15:35:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3C97B20659; Wed, 24 Jul 2019 19:35:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563996922; bh=EHcCKHRk1eOz+b0bwItEjZPMk5Rvwz+Yhh/TuND2V/4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JzWkfbU/qHk+plhqJQyXSotj36WByvz+AvMxC9SV3tpFoFsecEfnUZR7rJfL+vNoR sCqUe4u1bmsKRhFYUgsuHZFE+2wiv+LLRpiArbwGpjq7+hAtosHilJHjmctFN9p4lZ 2olAQ/MEBkfae3AD3Qv+EaoJmz9m9qTWz0j+E9B0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Robinson , Eric Biggers , Herbert Xu Subject: [PATCH 5.2 263/413] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Wed, 24 Jul 2019 21:19:14 +0200 Message-Id: <20190724191754.964857112@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191735.096702571@linuxfoundation.org> References: <20190724191735.096702571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Peter Robinson Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -31,6 +31,7 @@ static int ghash_setkey(struct crypto_sh const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -39,7 +40,12 @@ static int ghash_setkey(struct crypto_sh if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM;