Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3819664ybi; Mon, 29 Jul 2019 13:15:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjslHTFoHL/diHgZ4e2dCTAgQatfoMllCHQjg4VQblu3KKfXW1S2xIbxxSaqVZAcwj/Gcq X-Received: by 2002:a17:902:2aa9:: with SMTP id j38mr106601496plb.206.1564431307605; Mon, 29 Jul 2019 13:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564431307; cv=none; d=google.com; s=arc-20160816; b=Y6fWsYhKtqHJefzhsVKInhPDqAiLAsRxhQ02NmyeDy2Orkd+3g5S4+C9wcB6n/wzIu l+6UTCoLcCowQmn64btOcj1MTfosd7qkqN+4tb9Wm9/zddSlMgLFInQz20Uv80d07kfE Bi8sOMmAHY7Fk0enH1r+sJRA1sw//OLQv7o5tT3Vx9eaXuzYrlUs8lwthYe6fUjty4mS IJIGFzk96Ho9zhgpabDMRAuWMnlAFBPuIw11Xz6nqFpUhSOXGw1xXbpt8J7Gy4OYoJmZ 59Bq66IFKN6A3S50hR+E1XttZiO0L0M+x92luoC7zvMO0VsYxVgbdOcXfsJZ20FA4oaF 9Y8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xDf4h4lFuKWgspCPv7mAgkt6HybhdLR3fjNmJkFiqiI=; b=FZag1FdykpSEca1wxEAXonjjGEh87FtV/sIW+yjdnYRY5fxQMrZ9rspVy03bbIgzRH ORxc3cVcD94gX5125inTPuuGe9u5X59dswqQ1YmEFFGsFNj1vnNHCxez9QXFTsczPHLc JNvwYXxjT2jFhZxXT0kvWHkyzYI8s0dIMlVIYgDaKqeBMSH89QyJ1VuS/lK3JytGPfhv 5WZ1o82jeBVKMnDuUZ8eddK7ksv+53Rq/IydFe8vYhZg58d4G8n8z0OYtsulRJFMkYK9 yJuJ3SDFm3fI80jzZMTQBAOmud5owsADjKiPklrgHxe176vOLXC13dbFbCjXSyNzgBRt LMZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bsBVMb1o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p4si27149875pgh.350.2019.07.29.13.14.52; Mon, 29 Jul 2019 13:15:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bsBVMb1o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730373AbfG2UNj (ORCPT + 99 others); Mon, 29 Jul 2019 16:13:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:42240 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728345AbfG2T3f (ORCPT ); Mon, 29 Jul 2019 15:29:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 12D1A2070B; Mon, 29 Jul 2019 19:29:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428574; bh=HMENl/L5+knTn/Fjjyg+GxPo4hsqznlJ+G8e9eT390w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bsBVMb1oNqZ+dfEsE3oR03L0QB15oAL43iio4a4qwoq/CKusE3EdRtbbOCHRleEp5 /PEP/SiSgCepPgTdNS71U41TBw19fjCOfdmhuQRjssneXpKagVXE/gmywuvMTdU+08 95tz2qESeYo7t6hKvo9CRaOEfu/j+q7p5WK4am1I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Robinson , Eric Biggers , Herbert Xu Subject: [PATCH 4.14 119/293] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Mon, 29 Jul 2019 21:20:10 +0200 Message-Id: <20190729190833.700397051@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Peter Robinson Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM;