Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10402739ybi; Wed, 24 Jul 2019 22:34:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqys8K/+bgQvV+8mLRrg7UvdQ0pvVKQdLyojI9/vUEYdiPwHvIYqFJWnfl5MG/1tQnsXV2rR X-Received: by 2002:a17:90a:ad89:: with SMTP id s9mr91920345pjq.41.1564032861349; Wed, 24 Jul 2019 22:34:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564032861; cv=none; d=google.com; s=arc-20160816; b=mhymQIHwhftwxGs4bOf4SaP6XlTjMSKlrYTk7K/2eDjNkgti9WzMOh3cj/t1VUOzc1 LCKdFXRb7/eI7LzxkGDvDsAvsgftvkOLyBD8zA7CCAg8tInOs+gbIBjcEojA/ur4zolH 77NwmR72hky9kkGsMtSlShOTX7kpLD6qDdgjBBg9Z09kL9b9HfSWq916Lmmd7+jL+mjY T2IdzJeNFfYGpHIeUMQx2p6F9JatAf3Do7YpLIRLdEmEE5maoJuCsSimga7SRYwQ355Y 5aEeqGBWvpe12YivaCmjjEwoBLLC8AGSEOM1FfSCEe2bdZVJVMjiZPBB1VaDOT0PjKCZ 8MfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xDf4h4lFuKWgspCPv7mAgkt6HybhdLR3fjNmJkFiqiI=; b=Gnn+BZWBTmQg6zjD+Xm0Msy9Xa3kKt5x+rgvIumu3uJUB//JLbyt6i2AnF31uUpvKF Qk3AQDNYW1NSWCQRYTbo0HxfrJo7Q0elidXY7W/f2jOj3jpu+U58yIZ1Dn3eLT/zMpOd Z4Y5pRHKztfp5tx8z7C3Ef5I60A+BkvhpY2/zyCEfJpc562+MEIAaOP/44/XBeYsby2V F4O/Es+f97gKZ2FVFedPEHL/ORfqSN6+jottZMq2U7iPP2oA9X+VV4wHkgjA1XMSiE63 Ul0IPqhcRlRK2o9rewcfcM4n628o5u4aM7SAGO+3ajzKqDwpUZKovrdR1BO3XgTYWNSc pl+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Y2iuQBOq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o131si17280523pgo.445.2019.07.24.22.33.30; Wed, 24 Jul 2019 22:34:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Y2iuQBOq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403957AbfGXTyq (ORCPT + 99 others); Wed, 24 Jul 2019 15:54:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:37884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404416AbfGXTym (ORCPT ); Wed, 24 Jul 2019 15:54:42 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E31B722ADC; Wed, 24 Jul 2019 19:54:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563998082; bh=HMENl/L5+knTn/Fjjyg+GxPo4hsqznlJ+G8e9eT390w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y2iuQBOqQiilVxNeo+7LY34OHmWU7Ou9oQgPY7ImaNaIiLr9W7q+Zh8C9Qcm2cXXQ ESZ5sj+C/Wpr/LalzKMMfpAkCx3H7xN3XJAh3AuIQVN4iExH/7746MdWhlG3VhzS5D OPYH2/RQjr3+WZKYRrqS/iWPJ1bXBPylmesUPk3w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Robinson , Eric Biggers , Herbert Xu Subject: [PATCH 5.1 239/371] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Wed, 24 Jul 2019 21:19:51 +0200 Message-Id: <20190724191742.620811056@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191724.382593077@linuxfoundation.org> References: <20190724191724.382593077@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Peter Robinson Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM;