Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp25116imw; Thu, 14 Jul 2022 19:35:25 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vtrZFu3bxoDVyZcXxiJ7vghvxmjEijx2pR5XquoAoQAFqNd+465bAIapbeOyVvyAqXCH9T X-Received: by 2002:a17:902:ec8d:b0:16c:4fe6:9dd1 with SMTP id x13-20020a170902ec8d00b0016c4fe69dd1mr10827429plg.141.1657852525687; Thu, 14 Jul 2022 19:35:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657852525; cv=none; d=google.com; s=arc-20160816; b=I9L88KnMptMYKqEYgFdEXunNesL8iPBV0aLgwsjMf6Jgzx87k4eb3+iINAppTPkYiB AvRD7Ixh5bv8yITRs5f/ktAgid8qlkGrh+QvUUmOeorUeggB2KDzymUio6vI4T183RBC FRH6i4UrPS8Cja9t8uTGINXdd5DVkH6IeIa3+q4PQORZaA+onIO93rsVMQZ/2rzaSdqE pYbMdkOBYwY23B9n3RGqjcieR4OaGqq1ys3ITBP1d/171A7+CrVuJjxZULQnAMolXuDM thY3m7AgNTAH8Q3TTAYYza9ZSVI5MHjJUic+v6ALTloaiX5O0xLrUC7Py93njbhlOxgN Kx+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id; bh=fWw558E44CYJMWUMB/pULdm1wo6o645cOnfUGS7/L0s=; b=ZZW1q1u29iili8ko38R7kIDPKuNSqH2Se/MXp/RvakcgIiT1kPEy7JcMpfPJDrCCNc vu3oCnSHcnJnYzKAUz+AZmZtPbVn/QWZ1qhmIeTjJW3D04rx2RQmM0oZ3dS6Y3nx5m91 R3W6sk07zjxCny+a7Z3vP4kmf5YVwfuCvazkNMhTDahCDfa3R7h4LgFwJnd27U/FOCwA NXInXpxxT0BTsfYXlfqzPYpSvZ/nprqGqlnECZxm7YDym3MOtzxz/4kXFvmhyY/I3Pn5 Ny0YOpGw0+DdtWNwJ0sPbESZJ3oRS7GJIpp1+K6zldL17+aCb1uOecDkO3DnJvCfanLP LvAw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y1-20020a056a001c8100b0052523d203a0si3951345pfw.77.2022.07.14.19.35.09; Thu, 14 Jul 2022 19:35:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241253AbiGOCHc (ORCPT + 99 others); Thu, 14 Jul 2022 22:07:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232394AbiGOCHb (ORCPT ); Thu, 14 Jul 2022 22:07:31 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D8FB74DF2 for ; Thu, 14 Jul 2022 19:07:28 -0700 (PDT) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4LkZQl2x2hzVfsJ; Fri, 15 Jul 2022 10:03:43 +0800 (CST) Received: from [10.67.110.173] (10.67.110.173) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 15 Jul 2022 10:07:02 +0800 Message-ID: Date: Fri, 15 Jul 2022 10:07:02 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound Content-Language: en-US From: "Guozihua (Scott)" To: CC: , , , , , References: <20220712075031.29061-1-guozihua@huawei.com> In-Reply-To: <20220712075031.29061-1-guozihua@huawei.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.110.173] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm500024.china.huawei.com (7.185.36.203) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 2022/7/12 15:50, GUO Zihua wrote: > A kasan error was reported during fuzzing: > > BUG: KASAN: slab-out-of-bounds in neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon] > Read of size 4 at addr ffff0010e293f010 by task syz-executor.5/1646715 > CPU: 4 PID: 1646715 Comm: syz-executor.5 Kdump: loaded Not tainted 5.10.0.aarch64 #1 > Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.59 01/31/2019 > Call trace: > dump_backtrace+0x0/0x394 > show_stack+0x34/0x4c arch/arm64/kernel/stacktrace.c:196 > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x158/0x1e4 lib/dump_stack.c:118 > print_address_description.constprop.0+0x68/0x204 mm/kasan/report.c:387 > __kasan_report+0xe0/0x140 mm/kasan/report.c:547 > kasan_report+0x44/0xe0 mm/kasan/report.c:564 > check_memory_region_inline mm/kasan/generic.c:187 [inline] > __asan_load4+0x94/0xd0 mm/kasan/generic.c:252 > neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon] > neon_poly1305_do_update+0x6c/0x15c [poly1305_neon] > neon_poly1305_update+0x9c/0x1c4 [poly1305_neon] > crypto_shash_update crypto/shash.c:131 [inline] > shash_finup_unaligned+0x84/0x15c crypto/shash.c:179 > crypto_shash_finup+0x8c/0x140 crypto/shash.c:193 > shash_digest_unaligned+0xb8/0xe4 crypto/shash.c:201 > crypto_shash_digest+0xa4/0xfc crypto/shash.c:217 > crypto_shash_tfm_digest+0xb4/0x150 crypto/shash.c:229 > essiv_skcipher_setkey+0x164/0x200 [essiv] > crypto_skcipher_setkey+0xb0/0x160 crypto/skcipher.c:612 > skcipher_setkey+0x3c/0x50 crypto/algif_skcipher.c:305 > alg_setkey+0x114/0x2a0 crypto/af_alg.c:220 > alg_setsockopt+0x19c/0x210 crypto/af_alg.c:253 > __sys_setsockopt+0x190/0x2e0 net/socket.c:2123 > __do_sys_setsockopt net/socket.c:2134 [inline] > __se_sys_setsockopt net/socket.c:2131 [inline] > __arm64_sys_setsockopt+0x78/0x94 net/socket.c:2131 > __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] > invoke_syscall+0x64/0x100 arch/arm64/kernel/syscall.c:48 > el0_svc_common.constprop.0+0x220/0x230 arch/arm64/kernel/syscall.c:155 > do_el0_svc+0xb4/0xd4 arch/arm64/kernel/syscall.c:217 > el0_svc+0x24/0x3c arch/arm64/kernel/entry-common.c:353 > el0_sync_handler+0x160/0x164 arch/arm64/kernel/entry-common.c:369 > el0_sync+0x160/0x180 arch/arm64/kernel/entry.S:683 > > This error can be reproduced by the following code compiled as ko on a > system with kasan enabled: > > char test_data[] = "\x00\x01\x02\x03\x04\x05\x06\x07" > "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" > "\x10\x11\x12\x13\x14\x15\x16\x17" > "\x18\x19\x1a\x1b\x1c\x1d\x1e"; > > int init(void) > { > struct crypto_shash *tfm = NULL; > struct shash_desc *desc = NULL; > char *data = NULL; > > tfm = crypto_alloc_shash("poly1305", 0, 0); > desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); > desc->tfm = tfm; > > data = kmalloc(POLY1305_KEY_SIZE - 1, GFP_KERNEL); > memcpy(data, test_data, POLY1305_KEY_SIZE - 1); > crypto_shash_update(desc, data, POLY1305_KEY_SIZE - 1); > crypto_shash_final(desc, data); > kfree(data); > return 0; > } > > void deinit(void) > { > } > > module_init(init) > module_exit(deinit) > MODULE_LICENSE("GPL"); > > The root cause of the bug sits in neon_poly1305_blocks. The logic > neon_poly1305_blocks() performed is that if it was called with both s[] > and r[] uninitialized, it will first try to initialize them with the > data from the first "block" that it believed to be 32 bytes in length. > First 16 bytes are used as the key and the next 16 bytes for s[]. This > would lead to the aforementioned read out-of-bound. However, after > calling poly1305_init_arch(), only 16 bytes were deducted from the input > and s[] is initialized yet again with the following 16 bytes. The second > initialization of s[] is certainly redundent which indicates that the > first initialization should be for r[] only. > > This patch fixes the issue by calling poly1305_init_arm64() instead of > poly1305_init_arch(). This is also the implementation for the same > algorithm on arm platform. > > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") > Cc: stable@vger.kernel.org > Signed-off-by: GUO Zihua > --- > arch/arm64/crypto/poly1305-glue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c > index 9c3d86e397bf..1fae18ba11ed 100644 > --- a/arch/arm64/crypto/poly1305-glue.c > +++ b/arch/arm64/crypto/poly1305-glue.c > @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, > { > if (unlikely(!dctx->sset)) { > if (!dctx->rset) { > - poly1305_init_arch(dctx, src); > + poly1305_init_arm64(&dctx->h, src); > src += POLY1305_BLOCK_SIZE; > len -= POLY1305_BLOCK_SIZE; > dctx->rset = 1; Friendly ping~ -- Best GUO Zihua