Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp362698ybi;
        Fri, 31 May 2019 02:42:50 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzXMht9WBYIhMROgKW2Z/6JOabgnw2LTsXMBUaIaQLGBmvO+eD2xCCcezKTgbTOY0Q3W2+U
X-Received: by 2002:a63:1b10:: with SMTP id b16mr7704638pgb.435.1559295770834;
        Fri, 31 May 2019 02:42:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559295770; cv=none;
        d=google.com; s=arc-20160816;
        b=qBNtEvTztC5fFhIoRCv2eyVyhFy/qWQBZLteGsOOz1Plka+4Fid4mtQ/EzM+c4emoL
         fkyY5RJ5Dq02jMnyH7t8yyw3YCeR48epSBVunhkdLwTbrYA3OVTzK4r3I+n7YgLnj9Yi
         vBzn/rdA/+LwqyUzIAPyVwMJNrq4O6A4bMqioePYkkRX/B6etklzRbXxhKXSnpBk1SL4
         VhWyXGeQJLjSMMohb0Qc4Mobs7vtW87yPbk7M0yh1+66qcs0p8L3CbwbGthH3v+TIPiZ
         g3KHQ6NhrxbVzwhWoF1GFaq5uXad+cW1dHMKEnccEJF4Wo3lNnVSEdsZ8pLr49q7pYqI
         ry4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=HhL4osx7ESpBduYF2Unw1uRF9bT1OgVQDPJAu+S7bbM=;
        b=mKPIrVUEd4cZaBWVly/vwGsD2JXrJZVCuNO8qGzxzbiYtjMxQkB03J3leRxUa8Ncnt
         64R6YQ0PMcgrkds3fgaBcUhV5we6ssb6t0G1ZIq0ykxDPzySEK3+GPoVK1+xioaOoC9B
         Rw2H0xJ1SWZAsPrvT8Wje3T4BdMu2eEELa3aIbMRpFp7FWj9hRb1XScNMu9fuJY3ztwQ
         /RRDpl5DzJXS0tnuI95R8LUaTJZiSA7PKwiZKFGJGN3UlUulkIbRM1gOEkIKGxcSIZqO
         xFOf8itq0KDSSJqBs+pQu0QP22Z+CLRZfeGrDNESN5RnhdIwOn3CDBwDVrAIihUb1TK3
         tiag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqRL7pQS;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f3si5180305pln.263.2019.05.31.02.42.32;
        Fri, 31 May 2019 02:42:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqRL7pQS;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726415AbfEaJm0 (ORCPT <rfc822;nullstelllensatz@gmail.com>
        + 99 others); Fri, 31 May 2019 05:42:26 -0400
Received: from mail-it1-f196.google.com ([209.85.166.196]:36402 "EHLO
        mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726376AbfEaJmZ (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 31 May 2019 05:42:25 -0400
Received: by mail-it1-f196.google.com with SMTP id e184so14228478ite.1;
        Fri, 31 May 2019 02:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=HhL4osx7ESpBduYF2Unw1uRF9bT1OgVQDPJAu+S7bbM=;
        b=mqRL7pQSlFTZGtxyeO3wy/9cmrkU/33+hQAmkFIq9NbunOA3bsL30A/mMJHoxDDlnl
         A+3S/kWB6G+hh/IEjY/gpipUAduje+pGUpBEsgmW/toXllExNcw6LZSCKwKeMRNOBvr9
         H4U1lPEbHlGp2CsFaAcMNMKFUbaedBleqJZ5pwVtZWuyHhrBJdMRuRsizplltzvbf1Nr
         SsfP7ah1F857CFixN1g+IDRGRtiBl5tjghOtIS+f1E42g7cv13msnsbSOPLhy9i9wetk
         g7ATnlILwIPVbjDjVPYhr8PVXKhWYJgXlVv7B54pA/gvNu0UaQIQEzSPI0lDnP5di+Ma
         /sfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=HhL4osx7ESpBduYF2Unw1uRF9bT1OgVQDPJAu+S7bbM=;
        b=YA0oLS9/f/4DQnW8c28JACwswYQefycDdF0Xbb0fevjrSlG+Xzcc2aHd/+k1wfaax5
         VbfQNlBxjJb59qIo1psWIp+dj+GEwC3LI538n3aFvkJXaDzaJ4hGXZGcT8fMMld16o90
         L/+LAYbjF6fAwDq2/M/+ixS4v5MBKCBJ4uKLkrR5jh5S4yEAxYT+99BI/SWMMZr1fG0B
         VpG+8uo/2Zs26fyf267/Au+bJApCTfFTMMTXkMXL5qoT4aM1+N79wDjSdF/oarOznxcd
         gD2JQ12YGzgKuQXw0MX/mkdarB3bMbKBBZirZtym7iyOdHQQtScPEfb3nkG3bqTcHun7
         VQfQ==
X-Gm-Message-State: APjAAAXtsrx3V9BTgZRzmcojfRdIYgpvBuD1iHZev5YnLZntHEmf3nDX
        1d8FHXTXY0RipF+MVvMS8h5Aff8+dNa3jZRB9vHX5O7u
X-Received: by 2002:a24:b8c2:: with SMTP id m185mr6253209ite.0.1559295744959;
 Fri, 31 May 2019 02:42:24 -0700 (PDT)
MIME-Version: 1.0
References: <20190530175039.195574-1-ebiggers@kernel.org>
In-Reply-To: <20190530175039.195574-1-ebiggers@kernel.org>
From:   Peter Robinson <pbrobinson@gmail.com>
Date:   Fri, 31 May 2019 10:42:13 +0100
Message-ID: <CALeDE9PL0q7wGj6rJO03fzJZ4m5dnkLxvu4xgMhG0dNKWxxW2A@mail.gmail.com>
Subject: Re: [PATCH] crypto: ghash - fix unaligned memory access in ghash_setkey()
To:     Eric Biggers <ebiggers@kernel.org>
Cc:     linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, May 30, 2019 at 6:51 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> Changing ghash_mod_init() to be subsys_initcall made it start running
> before the alignment fault handler has been installed on ARM.  In kernel
> builds where the keys in the ghash test vectors happened to be
> misaligned in the kernel image, this exposed the longstanding bug that
> ghash_setkey() is incorrectly casting the key buffer (which can have any
> alignment) to be128 for passing to gf128mul_init_4k_lle().
>
> Fix this by memcpy()ing the key to a temporary buffer.
>
> Don't fix it by setting an alignmask on the algorithm instead because
> that would unnecessarily force alignment of the data too.
>
> Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM")
> Reported-by: Peter Robinson <pbrobinson@gmail.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>

That fixes the problems I was seeing, thanks for the quick response/fix.

Peter

> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  crypto/ghash-generic.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
> index e6307935413c1..c8a347798eae6 100644
> --- a/crypto/ghash-generic.c
> +++ b/crypto/ghash-generic.c
> @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_shash *tfm,
>                         const u8 *key, unsigned int keylen)
>  {
>         struct ghash_ctx *ctx = crypto_shash_ctx(tfm);
> +       be128 k;
>
>         if (keylen != GHASH_BLOCK_SIZE) {
>                 crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
> @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_shash *tfm,
>
>         if (ctx->gf128)
>                 gf128mul_free_4k(ctx->gf128);
> -       ctx->gf128 = gf128mul_init_4k_lle((be128 *)key);
> +
> +       BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE);
> +       memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */
> +       ctx->gf128 = gf128mul_init_4k_lle(&k);
> +       memzero_explicit(&k, GHASH_BLOCK_SIZE);
> +
>         if (!ctx->gf128)
>                 return -ENOMEM;
>
> --
> 2.22.0.rc1.257.g3120a18244-goog
>