Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2527659ybv; Fri, 21 Feb 2020 17:44:23 -0800 (PST) X-Google-Smtp-Source: APXvYqzGkBc2N5xgaDCkEEz1NMhH6vVMBP8foXylBCgUj73Rk/P8Q3KUQWMhWvFQXMyWV1aLLz3x X-Received: by 2002:aca:d5d3:: with SMTP id m202mr4296574oig.161.1582335862751; Fri, 21 Feb 2020 17:44:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582335862; cv=none; d=google.com; s=arc-20160816; b=EHTWeqeVSluyXSf+SxsJiQWLHkVCLZ9bQIDM5BJ/K+2TpkO+HKm58gfFExyc/1JKMd +6fECCOgTCIIGhNBAdF3tPYHflUa8z0tOgo3DPSjoxIROCqiu+9Ull3E+BLrgQtyRZID /BobeS0BNyeU3oyhHBcBcCL33pYFANrgAzFb+mb/bpA750EirDf19dNDcAYStSG0Bzq3 rmjx7eF1/XvB2mHw5BXGTSktWMFgeN9v/cztz1kPBqZahJYgKrKxmTcgI8HM8C7cCCmf r3hDOvHRNCWBhtodEO5r59vwNVR1Q5EzTWevWJoOcQcCCB8LmV0c4vJaMxeoYSl4i5nz /UAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=4W+ZbQRf0A6me3nyzKrW4B/2DEb4+ebaVPMHjZYPceo=; b=srPvPz95HUENCoN2X0GRV+BZ5GhhcJQLoVZ32GK2ig759w8X5p/LCVwWcjfRv+8eCk zdGODX9S6Im3K6k+qZb3hvH+IHjO+SKeaAafBh13yaWZ+4+gSoJdhOIa0uoiCQV4MEKz j2y3ASwSn+8S27chM+tlkvmFXZ4Z5ND5KHeg5khMCqrSp2CFTF/NdLODZ7eiWAqWzfC9 M6RPm5+Ip3tSue4snHgbvydB+UD8S33CY+FRoXoQjusit8EfVWajUZrlAzzCxvyqc/bj 3NbItY2ybwxRxkXlghYZs5OuGPQggPKeN3KCHB/gCWpi3W38oKvIS7sCshMbTEA/Wqqs 9R0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k10si2478903otn.323.2020.02.21.17.44.11; Fri, 21 Feb 2020 17:44:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726912AbgBVBoJ (ORCPT + 99 others); Fri, 21 Feb 2020 20:44:09 -0500 Received: from helcar.hmeau.com ([216.24.177.18]:52296 "EHLO fornost.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727614AbgBVBoJ (ORCPT ); Fri, 21 Feb 2020 20:44:09 -0500 Received: from gwarestrin.me.apana.org.au ([192.168.0.7] helo=gwarestrin.arnor.me.apana.org.au) by fornost.hmeau.com with smtp (Exim 4.89 #2 (Debian)) id 1j5Jpt-00034P-GV; Sat, 22 Feb 2020 12:44:06 +1100 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Sat, 22 Feb 2020 12:44:05 +1100 Date: Sat, 22 Feb 2020 12:44:05 +1100 From: Herbert Xu To: Ayush Sawal Cc: viro@zeniv.linux.org.uk, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, vinay.yadav@chelsio.com Subject: Re: [RFC][PATCH] almost certain bug in drivers/crypto/chelsio/chcr_algo.c:create_authenc_wr() Message-ID: <20200222014405.GA19322@gondor.apana.org.au> References: <20200215061416.GZ23230@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, Feb 21, 2020 at 10:47:01AM +0530, Ayush Sawal wrote: > On 2/15/2020 11:45 AM, Al Viro wrote: > > > > > ? ? ? ? kctx_len = (ntohl(KEY_CONTEXT_CTX_LEN_V(aeadctx->key_ctx_hdr)) > > << 4) > > ? ? ? ? ? ? ? ? - sizeof(chcr_req->key_ctx); > > can't possibly be endian-safe.? Look: ->key_ctx_hdr is __be32.? And > > KEY_CONTEXT_CTX_LEN_V is "shift up by 24 bits".? On little-endian hosts it > > sees > > ? ? ? ? b0 b1 b2 b3 > > in memory, inteprets that into b0 + (b1 << 8) + (b2 << 16) + (b3 << 24), > > shifts up by 24, resulting in b0 << 24, does ntohl (byteswap on l-e), > > gets b0 and shifts that up by 4.? So we get b0 * 16 - sizeof(...). > > > > Sounds reasonable, but on b-e we get > > b3 + (b2 << 8) + (b1 << 16) + (b0 << 24), shift up by 24, > > yielding b3 << 24, do ntohl (no-op on b-e) and then shift up by 4. > > Resulting in b3 << 28 - sizeof(...), i.e. slightly under b3 * 256M. > > > > Then we increase it some more and pass to alloc_skb() as size. > > Somehow I doubt that we really want a quarter-gigabyte skb allocation > > here... > > > > Note that when you are building those values in > > #define? FILL_KEY_CTX_HDR(ck_size, mk_size, d_ck, opad, ctx_len) \ > > ? ? ? ? ? ? ? ? htonl(KEY_CONTEXT_VALID_V(1) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_CK_SIZE_V((ck_size)) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_MK_SIZE_V(mk_size) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_DUAL_CK_V((d_ck)) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_OPAD_PRESENT_V((opad)) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_SALT_PRESENT_V(1) | \ > > ? ? ? ? ? ? ? ? ? ? ? KEY_CONTEXT_CTX_LEN_V((ctx_len))) > > ctx_len ends up in the first octet (i.e. b0 in the above), which > > matches the current behaviour on l-e.? If that's the intent, this > > thing should've been > > ? ? ? ? kctx_len = (KEY_CONTEXT_CTX_LEN_G(ntohl(aeadctx->key_ctx_hdr)) > > << 4) > > ? ? ? ? ? ? ? ? - sizeof(chcr_req->key_ctx); > > instead - fetch after ntohl() we get (b0 << 24) + (b1 << 16) + (b2 << 8) > > + b3, > > shift it down by 24 (b0), resuling in b0 * 16 - sizeof(...) both on l-e > > and > > on b-e. > > > > PS: when sparse warns you about endianness problems, it might be worth > > checking > > if there really is something wrong.? And I don't mean "slap __force cast > > on it"... > > > > Signed-off-by: Al Viro > > Patch applied. Thanks. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt