Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp12565406pxu; Sat, 2 Jan 2021 03:32:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJyTRjozfzbou3O8Nsba6CpIK8FShMNfqgnUrruA8CoLE7eKCJ1190UY1CIQdQQOVsIwtcAc X-Received: by 2002:a50:d757:: with SMTP id i23mr63270188edj.116.1609587156854; Sat, 02 Jan 2021 03:32:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609587156; cv=none; d=google.com; s=arc-20160816; b=k6C5JeIXtZEd1Aqf8ig3kiJLgy7HU49wlrnR1DUdYuOAm6MRGK7KNymWNaWMHLUotJ /iMooV3eRLY0e4oo2s2Gx6rkuCllPTe1qpbcucr0jeCzrQCOgjKVdHIEZ3S6NMSNEdZP m6o8Gs6wadof9+jhVY6yOPgL91qkhc+eWMDklRoGSg1qkxTHCgYmh/gqqQXfKbr0kwXY KOqm+d5GFEHqUi3TX0KzoW3e+RHKshFKwa0l4ZWEpIJ3bcfAocSrGBr2AEjHnz3be+83 WOdpyOjWD2S3XGFQ/7K1F0JMN6p4cYe2anRiFLifv45To+hJ/3DzNEhX9NmsFi6anTRL 5jgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nhOSJjND4L3hMFTMc/SuBfO6QRWJyZJbmSUQkQ8z6aQ=; b=yVWG/LdLFBDgJF7UbV6cVKbEbkj2XSEsJNkRv0kKv9KteoBbHo3U9SBKj/8YkRFyUU rBeXG2kL3xTGUFr8ucNuYeoVZrpgF9jbkkyE6TsdjSHVDHFDzKWaMz3sPPrNDmTcE6Zj JkzN0/94gs5kZSadMK924sBEDHTAnK/ACRZImLyk3iXNvyjca4SkTeafQZ4mZRY5PNFN Wc1vn6nyPP08v5rKaJhklIAEc0FqjNluaCAvppjDQzm5XTixHvxBbCX+9oGqeOS21nHd ouqEqqZRIX6eWgZ+pG6LU/Z2AYW2eFfZVt99SuCeCzXXP30zmHDef/u1avaT6ZD8FZ7e 9KvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RdKVQTm+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b7si29044439edy.561.2021.01.02.03.32.13; Sat, 02 Jan 2021 03:32:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RdKVQTm+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726517AbhABLaY (ORCPT + 99 others); Sat, 2 Jan 2021 06:30:24 -0500 Received: from mail.kernel.org ([198.145.29.99]:47798 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726327AbhABLaX (ORCPT ); Sat, 2 Jan 2021 06:30:23 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 917B020857; Sat, 2 Jan 2021 11:29:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1609586982; bh=12e/d5y8XXJahAgaxYFj4bELsUe5cAYIOPjRCVbsCa8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=RdKVQTm+6SQLs5RsdmZLf63WqRtN8cwFFlLM7+G9JsLrkOt2DbGEPZKSolcI5Zl5R 0nMECjauCyWEpTlcHemc2Oqjk9yHT26n27W29gaSzUInmrs8yyUupsu2FUna3i4F3d xCF6nmbH/6hpGdXM6DCKy5EVVJb1sJuwKKKqUZ7QqJY2SsygUFoGXZwZrhVmtV5FkF jR18hiSM6B4WEnVoYLW+QQpcDRR8TrlUwbvOx50NN2xJj3ELhtrtijIBLEx+X1NhW+ QYHOct6dxebhhMJ51zvXYLdoA85sEwe+e9CfS33EMKy2hF4RXieQsTpb+2RxkgfFeI xc0mX/qdecHNQ== Received: by mail-oi1-f180.google.com with SMTP id s2so26668030oij.2; Sat, 02 Jan 2021 03:29:42 -0800 (PST) X-Gm-Message-State: AOAM532rItAiD6qxosU/k5lQXSrDD7a6GD4sxDHnx/xLF1/nRMAqZSuB awog02esWxeVmP9UuAOpYfEOC96P/+8P8kYHzl4= X-Received: by 2002:aca:d98a:: with SMTP id q132mr12999133oig.33.1609586981969; Sat, 02 Jan 2021 03:29:41 -0800 (PST) MIME-Version: 1.0 References: <20201228124919.745526410@linuxfoundation.org> <20201228124933.649086790@linuxfoundation.org> <20201231200913.GA32313@amd> In-Reply-To: <20201231200913.GA32313@amd> From: Ard Biesheuvel Date: Sat, 2 Jan 2021 12:29:31 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 4.19 287/346] crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() To: Pavel Machek Cc: Greg Kroah-Hartman , Linux Kernel Mailing List , "# 3.4.x" , Herbert Xu Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 31 Dec 2020 at 21:09, Pavel Machek wrote: > > Hi! > > > ecdh_set_secret() casts a void* pointer to a const u64* in order to > > feed it into ecc_is_key_valid(). This is not generally permitted by > > the C standard, and leads to actual misalignment faults on ARMv6 > > cores. In some cases, these are fixed up in software, but this still > > leads to performance hits that are entirely avoidable. > > > > So let's copy the key into the ctx buffer first, which we will do > > anyway in the common case, and which guarantees correct alignment. > > Fair enough... but: params.key_size is validated in > ecc_is_key_valid(), and that now happens _after_ memcpy. > > How is it guaranteed that we don't overflow the buffer during memcpy? > It is not, thanks for pointing that out. There are some redundant checks being performed, so you won't trigger it easily with fuzzing, but afaict, an intentionally crafted invalid input could indeed overflow the buffer. I'll send a fix shortly. > > +++ b/crypto/ecdh.c > > @@ -57,12 +57,13 @@ static int ecdh_set_secret(struct crypto > > return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, > > ctx->private_key); > > > > - if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, > > - (const u64 *)params.key, params.key_size) < 0) > > - return -EINVAL; > > - > > memcpy(ctx->private_key, params.key, params.key_size); > > > > + if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, > > + ctx->private_key, params.key_size) < 0) { > > + memzero_explicit(ctx->private_key, params.key_size); > > + return -EINVAL; > > + } > > return 0; > > Best regards, > Pavel > -- > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany