Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1056076ybi; Thu, 30 May 2019 10:52:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyf/6dcrqQ7nTSukL3cuuXXsJwHkHZ5aHHy7Sx+fgWedVLF59x4d6Hj9kYxxsGg7TgGCaaE X-Received: by 2002:a63:17:: with SMTP id 23mr4778291pga.206.1559238749388; Thu, 30 May 2019 10:52:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559238749; cv=none; d=google.com; s=arc-20160816; b=fUQKG6CtH2z6uQHkXyK27GP3/7KU9xNqWq5X0bV7w/oaDzCFEDdRna9uTYy6ojOvzZ rkDQcog5wztspNVnhj3VsNvCpryjuaF/uDIpv/zBZEU7Rnaj0mId20p1uOz6+ThpN9f+ n5YfzJ034vcyqv3pa2weJ86tfg9++CuDfdr43suHni/Grh0xLcHruw7ggPX/6ozpk01V GAJEqsstmM7q4O2rgT+VTk1/S2QcfkuKN1aH0ujq+Z0MZLc908UIfd2o0QJb3Pjzi5z9 ba2oJtG+zjFL0z53IEEy2wH3nh+hiZKBQzJ6vHFG192owmz94z0XOVRuNtbAK+LCBtyz 4P8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=vQOk52YKk7c5x+YcbbT4oz9QEYxHvEoSBTtwuHnnIDU=; b=drm4K2yy7LEeANURLWZU9j3WeI9eGn6wQyD6khZjxn8WSR1SIctxaD5jux1JPGwUlt TDQrrrO6JD3QbfVnvUODAQNyV1WE0lff62ghy90yiyhaJGlNeoy9A1Pmpoe1jFqtswZu lz29jv3cEFM0zjq4UyZT32eTYsFioA6AJYPH972IIxEViAxRI8v4uJJJlC04IapPaNLh xLGIJjMMERnKeFS1UVttIskVm/7M6gyn6J3jbmZOzHre9JYxgovy509LFZBo29HnQi1B La1856Us+AzpLFIrhyBQvF42XDDp42EQrGP41aprdnbutJntA8vSjAZbvE9g6I4ht2bY srFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rdLpfIoV; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h16si3850613pfn.162.2019.05.30.10.52.07; Thu, 30 May 2019 10:52:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rdLpfIoV; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726307AbfE3Rvq (ORCPT + 99 others); Thu, 30 May 2019 13:51:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:45208 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725961AbfE3Rvq (ORCPT ); Thu, 30 May 2019 13:51:46 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 298D925EBD; Thu, 30 May 2019 17:51:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559238705; bh=i3XOSxLt0gd25Lvgu66PwiGPL7WdnuFqSIPbfSPRNvs=; h=From:To:Cc:Subject:Date:From; b=rdLpfIoVgc/waPa/9jjiNG++x8Ie13iqFnrqFxGMBVvq5z5bOtk5kqjgmoUd9EqNh xaTAvep02q+Ww1Bxy9imO7Z98/KYj5jqMwhBXRwW10U8QdMwnmPyXc4nz19bRSP2XJ Xaix7O+I2Qi5LiV+n1IAEWeN19gjYBYLSopFY8Cw= From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Peter Robinson , stable@vger.kernel.org Subject: [PATCH] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Thu, 30 May 2019 10:50:39 -0700 Message-Id: <20190530175039.195574-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.rc1.257.g3120a18244-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c index e6307935413c1..c8a347798eae6 100644 --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_shash *tfm, if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM; -- 2.22.0.rc1.257.g3120a18244-goog