Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10425856ybi; Wed, 24 Jul 2019 23:00:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqyBZZmxGFC7P8ZcxhMDkpyxKTQKINPwU6Tn8Pee6U0aYU4C4FX860F55J4vOxQRCT5wsTE1 X-Received: by 2002:a17:902:27e6:: with SMTP id i35mr89044727plg.190.1564034453234; Wed, 24 Jul 2019 23:00:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564034453; cv=none; d=google.com; s=arc-20160816; b=tIBPcT4/p1+XfbkKYdZhoP/QtzgUGGmIGAjVXfpO8Vocf6YmFHs44HR2k0SrtzZK6J NMJm2g3ZsByJ+FgBOy1x/5KaLk5q41wWzAu4bHfaMtDwM+/iaBcjpfAfa6wWhxBuv42H uUF3hR0votACBlf2pq44alro7hMdhk0wc6pgjkZnW7HaWiXLrzV/7Db0fFMs8ZoO0nsO zifY3Ep4lagUmToktoMa6nNS3NxchGSNtsQlTunrRlIeHmNJrqxOtDkoivp/+gcPgYXa rxHq36tZrZuZfdhrpaumk60jZ7IS0J2OxrJuOElcpHJfcM7T5SZCyAcXjdjdmPziApB/ kmYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xDf4h4lFuKWgspCPv7mAgkt6HybhdLR3fjNmJkFiqiI=; b=YpHEesz+EAt9dslgJBtPRI4vhICMjEPI0q/2BfMxfdh9MBRVdLKJs4pFf4SIWLEXd+ VQsZZ6VHs8NkIBurLlNX/9HV07fv7P3Pkldkxh6V/mSk4DZOGgSdBGlg7zftW5sw05Ra CFiEUm1wAUzMe2/ql3AFCn/+GD5BYRtuJrZpfOws3cwiIi1o4QxxnUwwg9Dv3yVz/CoR eVZZJITmI6ZdeHCVUfANhcidYYSMMzlF4evNPFpvR1bsT2+O+szKYpiMd4ldR7XQo2BW YaN541oUB2iUqBT5z6wIaV32TgKY6+cjd34ebdCkYAAYasgd6B73/RwtZwvkuVrc13JK +LHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pGjgTmiW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v125si16896260pgb.262.2019.07.24.23.00.38; Wed, 24 Jul 2019 23:00:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pGjgTmiW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391197AbfGYFoM (ORCPT + 99 others); Thu, 25 Jul 2019 01:44:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:59250 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391189AbfGYFoK (ORCPT ); Thu, 25 Jul 2019 01:44:10 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2A0DE22C7D; Thu, 25 Jul 2019 05:44:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564033449; bh=HMENl/L5+knTn/Fjjyg+GxPo4hsqznlJ+G8e9eT390w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pGjgTmiWzLmQ+wE3xDz/ZhvyYLG0HHydm8PD/drj2HSQpSn09NHo2S1GJxL98DjAi AZqrN/S/QXrxzjRTKKAw2XCiFGjYbIOI/Fn4P3Ndtb5KqvykGziu076c/cmFz6G9tD za66C1sxeOyNRJfGenoJ7lgEno8xGRjJwqqJa9ag= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Robinson , Eric Biggers , Herbert Xu Subject: [PATCH 4.19 172/271] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Wed, 24 Jul 2019 21:20:41 +0200 Message-Id: <20190724191709.922316026@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191655.268628197@linuxfoundation.org> References: <20190724191655.268628197@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Peter Robinson Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM;