Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3824226ybi;
        Mon, 3 Jun 2019 00:29:37 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy8NA4LyPiaUdy/BSl9fn7ncxuwvEFABnokHL1YMX2uDl5Jpew0tqWPbIMPStjfNX5a7SQ8
X-Received: by 2002:a62:1483:: with SMTP id 125mr29319311pfu.137.1559546976975;
        Mon, 03 Jun 2019 00:29:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559546976; cv=none;
        d=google.com; s=arc-20160816;
        b=0OrXFwHO/IV361n2SbjxnyoTaxgePkh9dH5fcNs5Pcuf+BowRDvWqAWn2gBd0EevvQ
         pQ1QydVZWf3c3uE7jeLQx8r46Uubn0TBSrl/Wo5h6pFx1VkLrccqo61WyMKONRcmybd0
         MHLM9HyZzkm7mN7f6CnXGr+z959E9m6R/v/3dHlnVTi8sq8j+d2nsrCiMJKSifloG1Ab
         DBsKthgVYJ8kl4yQHKZ1yBISE8tXUytmvrPDrbp9FsnBPDkx8+9w4bNe6q/6GUO6leax
         CN+o6JyWDRqssrtQlCY6w+Zorwk5lCyKLdfNRwZzwzB/hwyOY0n3obWaf0HYpDW3DDIK
         tTfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=y4yWGiBs4AVaPkQMeBun7TOFr1uohDtRZ02pj0yDyCE=;
        b=wPDCZ40IXrFnvq5MYrRQFD67cVvTVo5dDhRDMw08ql6K2dg8X738NfFz9OFJrNBmfh
         7FG8q78G2OE+/qXC5aG4cPPfbX3pPyyO7+oAVYpBxOwmc0hhLSsqwFZSc2d4Fn24uN3a
         9sB3D/Yd7tI5PsV21U1lKxYPpWDS63nXjBguR/FWJ3CGIPAVsDMD2KkZjFNCUPa+CLRt
         h6xJbtuFQPXE7ZN9UovGMihra7KRfC9T4UZNcWSVZS7x8+h5cmAEcUqhOj4tCWgz9GBC
         Ds5LZbyPo7kp9xejgx0mjt7dmCC85rmrgNGnFxrV9ocESTR4KgHKK1atz+GgbrhpIux2
         GEbQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@c-s.fr header.s=mail header.b=TNCSahey;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j3si18597946pff.101.2019.06.03.00.29.23;
        Mon, 03 Jun 2019 00:29:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@c-s.fr header.s=mail header.b=TNCSahey;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727074AbfFCH1b (ORCPT <rfc822;nullstelllensatz@gmail.com>
        + 99 others); Mon, 3 Jun 2019 03:27:31 -0400
Received: from pegase1.c-s.fr ([93.17.236.30]:27831 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726956AbfFCH1b (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 3 Jun 2019 03:27:31 -0400
Received: from localhost (mailhub1-int [192.168.12.234])
        by localhost (Postfix) with ESMTP id 45HRTM1MJ0z9txrs;
        Mon,  3 Jun 2019 09:27:19 +0200 (CEST)
Authentication-Results: localhost; dkim=pass
        reason="1024-bit key; insecure key"
        header.d=c-s.fr header.i=@c-s.fr header.b=TNCSahey; dkim-adsp=pass;
        dkim-atps=neutral
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
        with ESMTP id EkNaZE1SsL4v; Mon,  3 Jun 2019 09:27:19 +0200 (CEST)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
        by pegase1.c-s.fr (Postfix) with ESMTP id 45HRTM0GRPz9txrq;
        Mon,  3 Jun 2019 09:27:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c-s.fr; s=mail;
        t=1559546839; bh=y4yWGiBs4AVaPkQMeBun7TOFr1uohDtRZ02pj0yDyCE=;
        h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
        b=TNCSahey5JC9LWgbW3e1bcDRql89qbHWBTW25XvUxSxPPFXy2itMd3Hs0H0bUyhq+
         e6mwel6/ODZK7TATmQwh7L4fvIrozErwyj2oL1qEzoz5z86qjvTnJuVV7sHBJrC7Ix
         GFYSemOr6uoEJTYlsXbJsZy0rBIElzTWSPiT0AWw=
Received: from localhost (localhost [127.0.0.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 9BC9B8B7B1;
        Mon,  3 Jun 2019 09:27:23 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
        by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
        with ESMTP id e1C1R_Rcnar6; Mon,  3 Jun 2019 09:27:23 +0200 (CEST)
Received: from PO15451 (po15451.idsi0.si.c-s.fr [172.25.231.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 6B44E8B7A1;
        Mon,  3 Jun 2019 09:27:23 +0200 (CEST)
Subject: Re: [PATCH] crypto: ghash - fix unaligned memory access in
 ghash_setkey()
To:     Eric Biggers <ebiggers@kernel.org>, linux-crypto@vger.kernel.org
Cc:     linux-arm-kernel@lists.infradead.org,
        Peter Robinson <pbrobinson@gmail.com>, stable@vger.kernel.org
References: <20190530175039.195574-1-ebiggers@kernel.org>
From:   Christophe Leroy <christophe.leroy@c-s.fr>
Message-ID: <0f7e6d3d-aa27-30c3-5c82-67d484bf667c@c-s.fr>
Date:   Mon, 3 Jun 2019 09:27:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <20190530175039.195574-1-ebiggers@kernel.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 8bit
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org



Le 30/05/2019 à 19:50, Eric Biggers a écrit :
> From: Eric Biggers <ebiggers@google.com>
> 
> Changing ghash_mod_init() to be subsys_initcall made it start running
> before the alignment fault handler has been installed on ARM.  In kernel
> builds where the keys in the ghash test vectors happened to be
> misaligned in the kernel image, this exposed the longstanding bug that
> ghash_setkey() is incorrectly casting the key buffer (which can have any
> alignment) to be128 for passing to gf128mul_init_4k_lle().
> 
> Fix this by memcpy()ing the key to a temporary buffer.

Shouldn't we make it dependent on CONFIG_HAVE_64BIT_ALIGNED_ACCESS or 
!CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS ?

Christophe

> 
> Don't fix it by setting an alignmask on the algorithm instead because
> that would unnecessarily force alignment of the data too.
> 
> Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM")
> Reported-by: Peter Robinson <pbrobinson@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>   crypto/ghash-generic.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
> index e6307935413c1..c8a347798eae6 100644
> --- a/crypto/ghash-generic.c
> +++ b/crypto/ghash-generic.c
> @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_shash *tfm,
>   			const u8 *key, unsigned int keylen)
>   {
>   	struct ghash_ctx *ctx = crypto_shash_ctx(tfm);
> +	be128 k;
>   
>   	if (keylen != GHASH_BLOCK_SIZE) {
>   		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
> @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_shash *tfm,
>   
>   	if (ctx->gf128)
>   		gf128mul_free_4k(ctx->gf128);
> -	ctx->gf128 = gf128mul_init_4k_lle((be128 *)key);
> +
> +	BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE);
> +	memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */
> +	ctx->gf128 = gf128mul_init_4k_lle(&k);
> +	memzero_explicit(&k, GHASH_BLOCK_SIZE);
> +
>   	if (!ctx->gf128)
>   		return -ENOMEM;
>   
>