Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp4545792imw; Tue, 19 Jul 2022 08:33:51 -0700 (PDT) X-Google-Smtp-Source: AGRyM1stDHl9nNPvDPF+dqSnyn6fTIQFpO0Rbv59HzsV/YjGoO54HKMQx8C0WdIfUDB61GroUBro X-Received: by 2002:a17:907:28d4:b0:72b:47ca:e37a with SMTP id en20-20020a17090728d400b0072b47cae37amr30806761ejc.378.1658244830812; Tue, 19 Jul 2022 08:33:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658244830; cv=none; d=google.com; s=arc-20160816; b=vwbDs7VZssAK0Wxbm+KrhF4YSIXfn2w4vb/4ESnHNJJ/cCFFgUfI9Bx0cV5i5ciqz8 nY365FLR+htTYcFHOQmqLeUGLDYzWVCOht/Dll24kek7HShVNAeTL/VkrTdF81k+eI/o toOI4SZUvHZR7WghxiJVhePXdYZi62ZlCjq9eQLBrPsjDYFFYmLVjgDrQH+D4EoAaZeL NVL64iflNJ/Qjofpytjx0peKelCixYAuqSt4wLR842cH+QMUK4wB3elbXrC1nQGFiAlb Qn1OAWVUPqovwXSE+urg8Fwx0iIqDykQpWiV7dnW2bPby2vKV0TVNG/SpSWXlz/Lbnzt 97Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=7BFIgUumD/kmYA1pmYkKFh/T9Z0odVvpxKmd7kFvmds=; b=FOqIeGrgDVOqUBGkagBvsinksaJX+vv/TuDb2AF2o7pPuGW3J7LSAR6NZaerk2if9q w0CrVbW022ca/CfuvwaPZ/g4qgKOqgiKZtvvp+5kfaJLHlcP131gcQXBq4nDCs6Hk/nF 8Gl2+rIvxZfkYD96p3ySe/V2PR5LfNSe9yMTrbAiQ6cRb6yZFIvJekvqLexY0NIN3KWU qqGcVKZVC1E6wOncKYqGAAFUV6QDm11Y59p2btgkIHG9YR2+ttmnpxuN8mHaVa9cu+JZ lg5ioFytYQ/D1vTs2bdoiwe4UEGFXNVqXYcKija8uT8SwW+Pckk8wpfZxQBEKct1FZni RU9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=p0vbyaqg; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bm5-20020a170906c04500b006e88579e94fsi14297182ejb.798.2022.07.19.08.33.22; Tue, 19 Jul 2022 08:33:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=p0vbyaqg; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229818AbiGSP1V (ORCPT + 99 others); Tue, 19 Jul 2022 11:27:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239517AbiGSP1I (ORCPT ); Tue, 19 Jul 2022 11:27:08 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73FAA50735 for ; Tue, 19 Jul 2022 08:27:07 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id t2-20020a17090a4e4200b001f21572f3a4so316835pjl.0 for ; Tue, 19 Jul 2022 08:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=7BFIgUumD/kmYA1pmYkKFh/T9Z0odVvpxKmd7kFvmds=; b=p0vbyaqg8b7QFy3eBMSaHlXf9z9XE0n+e14lNNj1gZpq49P69UF7JOMI2ROL/j+ujq +gZHfIHFE/7zg/iPBZtLcSmvKojE1oqsL/+5TwruTQzkQpMGT4Ji8QHQCL6U1QA3U32i ZyKfUMAC8QgAwtjeq2dRlUdhtfHbR1bApY1aozNezDNFEI10cO96GBdrKfd9J0fIYVTQ 6etqQKX03zuvAuv+SLJKW1+TfwfmR4q6ztMN94P2S7hH55RyVE1koH9xoCQAXzFObsmc EMpacVkF3ldoF7xO5EeLIpSYY2LmUNjaTcuchwgfQkl7UvtF/EHIU05MVKDrFCYXPTNi maWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=7BFIgUumD/kmYA1pmYkKFh/T9Z0odVvpxKmd7kFvmds=; b=MIIGVYhkEitXrwAMlAx7I66UtPsxgRx/Ma5MeqiUaU0FQLX6QBMcAgR3W3Q2kxeRVe VQggQLHb8mGnPXBQyvD6s92Xphg/IMqjNOI/nZEXpgI/7dFS+Qn0XeF4vmB+ySXqFYiY dPJ/aGKxLHv0b6mdfYNMge15pLjYJOUG09dbj8mKj69nch2IsBGXrBR+oJdOr2nXBesL fBtu2NSViTH6+9PNbhbxdaDcCeE7smdiPhVXhfbvDtw9NQdpz11m4xbqvrb2zTAmZNmG cUXBuo5nHJ4dS+f1y0LqDc9aJBHaswrdjGQj2oYCglyDKbljfM9d3QaN86o5uPfFrTNV crRw== X-Gm-Message-State: AJIora91rK9XYfJVJSVWyKqj3XnoxMRosUWdsrvfYPqwnfC49jMFmSbH Gx0slS945PWHwZZ2vVeKs9lU/4Rbc4D2mg== X-Received: by 2002:a17:902:e54b:b0:16c:38e5:a9b7 with SMTP id n11-20020a170902e54b00b0016c38e5a9b7mr33883192plf.66.1658244426810; Tue, 19 Jul 2022 08:27:06 -0700 (PDT) Received: from [192.168.0.4] ([182.213.254.91]) by smtp.gmail.com with ESMTPSA id a3-20020a170902ecc300b0016be4d78792sm11725651plh.257.2022.07.19.08.27.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Jul 2022 08:27:06 -0700 (PDT) Message-ID: <856b44ba-23fc-4661-9afb-6b0487133e34@gmail.com> Date: Wed, 20 Jul 2022 00:27:03 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [bug report] crypto: aria - Implement ARIA symmetric cipher algorithm Content-Language: en-US To: Dan Carpenter Cc: linux-crypto@vger.kernel.org References: From: Taehee Yoo In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Dan, Thank you so much for your report! On 7/19/22 17:14, Dan Carpenter wrote: > Hello Taehee Yoo, > > The patch e4e712bbbd6d: "crypto: aria - Implement ARIA symmetric > cipher algorithm" from Jul 4, 2022, leads to the following Smatch > static checker warning: > > crypto/aria.c:69 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 4 > crypto/aria.c:70 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 5 > crypto/aria.c:71 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 6 > crypto/aria.c:72 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 7 > crypto/aria.c:86 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 8 > crypto/aria.c:87 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 9 > crypto/aria.c:88 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 10 > crypto/aria.c:89 aria_set_encrypt_key() error: buffer overflow 'ck' 4 <= 11 > > crypto/aria.c > 19 static void aria_set_encrypt_key(struct aria_ctx *ctx, const u8 *in_key, > 20 unsigned int key_len) > 21 { > 22 const __be32 *key = (const __be32 *)in_key; > 23 u32 w0[4], w1[4], w2[4], w3[4]; > 24 u32 reg0, reg1, reg2, reg3; > 25 const u32 *ck; > 26 int rkidx = 0; > 27 > 28 ck = &key_rc[(key_len - 16) / 8][0]; > > key_rc is declared like this: > > static const u32 key_rc[5][4] = { > > 29 > 30 w0[0] = be32_to_cpu(key[0]); > 31 w0[1] = be32_to_cpu(key[1]); > 32 w0[2] = be32_to_cpu(key[2]); > 33 w0[3] = be32_to_cpu(key[3]); > 34 > 35 reg0 = w0[0] ^ ck[0]; > 36 reg1 = w0[1] ^ ck[1]; > 37 reg2 = w0[2] ^ ck[2]; > 38 reg3 = w0[3] ^ ck[3]; > 39 > 40 aria_subst_diff_odd(®0, ®1, ®2, ®3); > 41 > 42 if (key_len > 16) { > 43 w1[0] = be32_to_cpu(key[4]); > 44 w1[1] = be32_to_cpu(key[5]); > 45 if (key_len > 24) { > 46 w1[2] = be32_to_cpu(key[6]); > 47 w1[3] = be32_to_cpu(key[7]); > 48 } else { > 49 w1[2] = 0; > 50 w1[3] = 0; > 51 } > 52 } else { > 53 w1[0] = 0; > 54 w1[1] = 0; > 55 w1[2] = 0; > 56 w1[3] = 0; > 57 } > 58 > 59 w1[0] ^= reg0; > 60 w1[1] ^= reg1; > 61 w1[2] ^= reg2; > 62 w1[3] ^= reg3; > 63 > 64 reg0 = w1[0]; > 65 reg1 = w1[1]; > 66 reg2 = w1[2]; > 67 reg3 = w1[3]; > 68 > --> 69 reg0 ^= ck[4]; > > So 4 and above is out of bounds. > > 70 reg1 ^= ck[5]; > 71 reg2 ^= ck[6]; > 72 reg3 ^= ck[7]; > 73 > 74 aria_subst_diff_even(®0, ®1, ®2, ®3); > 75 > 76 reg0 ^= w0[0]; > 77 reg1 ^= w0[1]; > 78 reg2 ^= w0[2]; > 79 reg3 ^= w0[3]; > 80 > 81 w2[0] = reg0; > 82 w2[1] = reg1; > 83 w2[2] = reg2; > 84 w2[3] = reg3; > 85 > 86 reg0 ^= ck[8]; > 87 reg1 ^= ck[9]; > 88 reg2 ^= ck[10]; > 89 reg3 ^= ck[11]; > 90 > 91 aria_subst_diff_odd(®0, ®1, ®2, ®3); > 92 > 93 w3[0] = reg0 ^ w1[0]; > 94 w3[1] = reg1 ^ w1[1]; > 95 w3[2] = reg2 ^ w1[2]; > 96 w3[3] = reg3 ^ w1[3]; > 97 > 98 aria_gsrk(ctx->enc_key[rkidx], w0, w1, 19); > 99 rkidx++; > 100 aria_gsrk(ctx->enc_key[rkidx], w1, w2, 19); > 101 rkidx++; > 102 aria_gsrk(ctx->enc_key[rkidx], w2, w3, 19); > 103 rkidx++; > 104 aria_gsrk(ctx->enc_key[rkidx], w3, w0, 19); > 105 > 106 rkidx++; > 107 aria_gsrk(ctx->enc_key[rkidx], w0, w1, 31); > 108 rkidx++; > 109 aria_gsrk(ctx->enc_key[rkidx], w1, w2, 31); > 110 rkidx++; > 111 aria_gsrk(ctx->enc_key[rkidx], w2, w3, 31); > 112 rkidx++; > 113 aria_gsrk(ctx->enc_key[rkidx], w3, w0, 31); > 114 > 115 rkidx++; > 116 aria_gsrk(ctx->enc_key[rkidx], w0, w1, 67); > 117 rkidx++; > 118 aria_gsrk(ctx->enc_key[rkidx], w1, w2, 67); > 119 rkidx++; > 120 aria_gsrk(ctx->enc_key[rkidx], w2, w3, 67); > 121 rkidx++; > 122 aria_gsrk(ctx->enc_key[rkidx], w3, w0, 67); > 123 > 124 rkidx++; > 125 aria_gsrk(ctx->enc_key[rkidx], w0, w1, 97); > 126 if (key_len > 16) { > 127 rkidx++; > 128 aria_gsrk(ctx->enc_key[rkidx], w1, w2, 97); > 129 rkidx++; > 130 aria_gsrk(ctx->enc_key[rkidx], w2, w3, 97); > 131 > 132 if (key_len > 24) { > 133 rkidx++; > 134 aria_gsrk(ctx->enc_key[rkidx], w3, w0, 97); > 135 > 136 rkidx++; > 137 aria_gsrk(ctx->enc_key[rkidx], w0, w1, 109); > 138 } > 139 } > 140 } > > regards, > dan carpenter I think this is a false positive of smatch. ck is a pointer and it points key_rc, which is a double array. But ck is used as a single array. So, I think smatch warns it although there are actually no out-of-bounds. I just tested changing key_rc to a single array. There are no smatch warnings. So, I will send a patch to avoid this smatch warning. Thank you so much, Taehee Yoo