Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1156027pxb; Fri, 21 Jan 2022 11:03:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJxCRRyvh6iqknxW9MmQjv9bkD46cPGmETx4Nb5KbCf/1x9QAYbGRHJo8CanN+AtvS7Yq5Ws X-Received: by 2002:a17:902:be18:b0:14a:aef3:af2a with SMTP id r24-20020a170902be1800b0014aaef3af2amr4780753pls.25.1642791791904; Fri, 21 Jan 2022 11:03:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642791791; cv=none; d=google.com; s=arc-20160816; b=Qhkb3OK+Njr/BY6hQH7Xt2xhjjph8waMA0Pu3jEl9/J4wFcSs89IAFtthnIIkUldq3 z4/y3mGOOCUyqkvFINanF9VWwFWZsM9bNdvVtLyasQdXrKxPadXyvx46kajUKb6tQNzR Yx6NUl6Or95lyZHyfcPB5UeAaEoPy0kHo1x1N42YuYF6+S3v5dhn0B4YjbK1caeY6SRK CUjhNZu8ruw73mOQbU+f71OPm8pt4aFcYdAJSqxdHUkgHQHI0Wzc6rqFLLKE85r1isBy 5oV5tdNUh5bN2huEc28BskohO+wFo0hRHGQyahFQm4/GEi3obnR+BB/m3nEGRMju/o2k P1jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2E945CLqoyS9sIaUbHdDxwI1d0NfL0sequKKLD+Lx70=; b=lml33NfnToKo/WGHn1+whSkF6lth3AgXL5KZsKGDPCTm5ktfHO9EirOtf+8abXCqMa OQF+GEVV0DquISF3Dj3UtF1jmUfg5icemICVUlRmOB87qj0xjFl2y82eLhME1xAMTH1d oLmL8OdaR6wlUYbksVEnSogUoAOP+Mt7Nl9pdSU3XK0tVO5Vg9OMqANcY4DKdESvUPqr 9yRKeL3yy94UZduUmszPAYVb0ZATt0L3ZRj7cL42bvOQdIH/at8qZ4kdp7XbkPZIEFM0 yW0IYaDsMyKFJBZzD5pdXGF2ptj9k/KHXFQWxxJr15DnoVuF3+9l2EK99ptTN5bqig3c RP6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HIVRMtGw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u23si4014139pfh.70.2022.01.21.11.02.59; Fri, 21 Jan 2022 11:03:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HIVRMtGw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352933AbiASJOH (ORCPT + 99 others); Wed, 19 Jan 2022 04:14:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352816AbiASJOG (ORCPT ); Wed, 19 Jan 2022 04:14:06 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5CF23C061574; Wed, 19 Jan 2022 01:14:06 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1DF5DB81911; Wed, 19 Jan 2022 09:14:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E772FC340E7; Wed, 19 Jan 2022 09:14:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642583643; bh=UT1ycB5MKQguCeHT4CqkfeYkeSTVnUZkbqsNKDB91DE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=HIVRMtGwk6qaE9ahJmgOL9zeB6VmNjL82sIDY0R9RcQykK5LYcrO9IZYpyqYXcy1o EU8LBeG8WtEoW4g9+EXqtZGwEz+29+cw3caj84lZkBGMZOKZFYbbJ8NE+94HD6b5JE VB5/dhCa6lv9lm2LJ4Gen5fRp+EDxT8534gp56tpKJ5C+Gn7H7x44+5lBJlyqyiLwk uunPHQkLgNBMFxTblL7cDiJYVM5jiF6J7luwxLE8qz82Gr3Oua1tDpugHTtDhUky6o 8O4bMqjVQ/hwAIjSNDn9SL4SdKkdDiEXYndddjRXzxAk4EzBB+lU8hjzoYd8M5rj9C IMUxzQCcVkbBw== Received: by mail-wm1-f49.google.com with SMTP id ay14-20020a05600c1e0e00b0034d7bef1b5dso6127998wmb.3; Wed, 19 Jan 2022 01:14:03 -0800 (PST) X-Gm-Message-State: AOAM533TzqKYBYEHCOH3NgdRZdf9X84OK2kcvbF1ZpvYsKrSGHj4L6Lv HSrqR95Xc50KPNSCVmJVq6C7AHXZAKKllIxSC8I= X-Received: by 2002:a5d:6210:: with SMTP id y16mr26324324wru.454.1642583642257; Wed, 19 Jan 2022 01:14:02 -0800 (PST) MIME-Version: 1.0 References: <20220119082447.1675-1-miles.chen@mediatek.com> In-Reply-To: From: Ard Biesheuvel Date: Wed, 19 Jan 2022 10:13:51 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] lib/crypto: blake2s: fix a CFI failure To: "Jason A. Donenfeld" Cc: =?UTF-8?B?TWlsZXMgQ2hlbiAo6Zmz5rCR5qi6KQ==?= , Herbert Xu , "David S. Miller" , Matthias Brugger , Greg Kroah-Hartman , Linux Crypto Mailing List , Linux Kernel Mailing List , Linux ARM , linux-mediatek@lists.infradead.org, Eric Biggers , Sami Tolvanen Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 19 Jan 2022 at 10:09, Ard Biesheuvel wrote: > > (+ Sami, Eric) > > On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld wrote: > > > > Hi Miles, > > > > Thanks for the patch. Could you let me know which architecture and > > compiler this was broken on? If I had to guess, I'd wager arm32, and > > you hit this by enabling optimized blake2s? > > > > If so, I'm not sure the problem is with weak symbols. Why should CFI > > break weak symbols? Rather, perhaps the issue is that the function is > > defined in blake2s-core.S? Are there some CFI macros we need for that > > definition? > > > > We should try to understand why CFI thinks the prototypes of the two > symbols are different. There are still a number of issues with CFI, so > papering over them by reverting stuff that we want for good reasons is > not the way to go imo. > > In the short term, you can work around it by avoiding the indirect > call to blake2s_compress, e.g., > > diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c > index 93f2ae051370..fef2ff678431 100644 > --- a/lib/crypto/blake2s.c > +++ b/lib/crypto/blake2s.c > @@ -16,9 +16,15 @@ > #include > #include > > +static void __blake2s_compress(struct blake2s_state *state, const u8 *block, > + size_t nblocks, const u32 inc) > +{ > + return blake2s_compress(state, block, nblocks, inc); > +} > + > void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen) > { > - __blake2s_update(state, in, inlen, blake2s_compress); > + __blake2s_update(state, in, inlen, __blake2s_compress); > } > EXPORT_SYMBOL(blake2s_update); Ehm, maybe not. As Jason points out, the typedef does not have quite the right type, so that is most likely the culprit, and this workaround would trigger CFI in exactly the same way. Interestingly, the compiler does not seem to mind, right? Or are you seeing any build time warnings on the reference to blake2s_compress in the call to __blake2s_update() ?