Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp5299490imw; Wed, 20 Jul 2022 03:03:31 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vfhMM75Nw5SE46z8MCyAnFRVCspr38iXcqbV37Jwm+oIg36+w3H5lytrbMuZgVRRZj6jdt X-Received: by 2002:a05:6402:2816:b0:434:ed38:16f3 with SMTP id h22-20020a056402281600b00434ed3816f3mr49874876ede.116.1658311411504; Wed, 20 Jul 2022 03:03:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658311411; cv=none; d=google.com; s=arc-20160816; b=S+bvZN3l6ZJirjBZBsV45RyJDevCGixmowQdgb/Z+s9XJ3VMULxyRGfCPtn6HbSxpd 4yDhuP1BSBFZB84gwAIjuJyb8WjEajqecEEG0tMSMAYE0gvMG6BfLKzFfBkg+i+1njbd I7VukdHPpgWauZfLTRUT1VRXWh4AHO+saDtq8zQGFiBzVf1g89ryKiUk5Gvro1gNjG6r 1BsT0M4YKjAEBJbCOVVf8UuyUZfCU9QlmcIfJlfUwqaVFVHQ4vCnYDWezjEhSSakRZND BgZRGSGDa6d8P7eWZoN/c9QvsA7ZL1biU13JA2PV0KW5H455rFU7BqBjZZvCsdQI8GM2 Xmtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=6Hqb1gOaPW8ctsL4J2UtyrwBWxNcnqOIOlj36r3TrTg=; b=MIZXt2xl/UMj6w0ucYeBx2uGZsqm0yfcHYcdOz3Sp3eCjM9b8JwDrsjuiiGIj6Y9cq bNPnp092QFbzBvszf6zBf4I3Sy4COxqhy3iH57OUlhwHCQeLqHiL62/aUbN6zBYLeBmT Tg2B7EYnWZ9CGj7s6GwWaOeQ3C/DkNogoPzi7tjnisWFPu9+DDFSx8pkNIyBldgovz22 0S8MfbRgGYwA9OGAOXh4CkBsffUBiO8pTM3SnqLfejZ0hD9IKzHNnQkvfX58j0+BRooU 6Zrp99VJS6E9prMidfiVIsvySwABelqoYgVz2PltDKcctMOYUGKd0Cwg4rxuSYZmbBx+ Mbbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ne26-20020a1709077b9a00b0072b67a5560fsi1513160ejc.1005.2022.07.20.03.02.58; Wed, 20 Jul 2022 03:03:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230101AbiGTJ5f (ORCPT + 99 others); Wed, 20 Jul 2022 05:57:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229523AbiGTJ5e (ORCPT ); Wed, 20 Jul 2022 05:57:34 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52E8612A84 for ; Wed, 20 Jul 2022 02:57:33 -0700 (PDT) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Lnrcl192pzWf0x; Wed, 20 Jul 2022 17:53:43 +0800 (CST) Received: from [10.67.110.173] (10.67.110.173) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 20 Jul 2022 17:57:31 +0800 Message-ID: Date: Wed, 20 Jul 2022 17:57:30 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound Content-Language: en-US To: Will Deacon CC: , , , , , References: <20220712075031.29061-1-guozihua@huawei.com> <20220720094116.GC15752@willie-the-truck> From: "Guozihua (Scott)" In-Reply-To: <20220720094116.GC15752@willie-the-truck> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.110.173] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpemm500024.china.huawei.com (7.185.36.203) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 2022/7/20 17:41, Will Deacon wrote: > On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote: >> A kasan error was reported during fuzzing: > > [...] > >> This patch fixes the issue by calling poly1305_init_arm64() instead of >> poly1305_init_arch(). This is also the implementation for the same >> algorithm on arm platform. >> >> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") >> Cc: stable@vger.kernel.org >> Signed-off-by: GUO Zihua >> --- >> arch/arm64/crypto/poly1305-glue.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) > > I'm not a crypto guy by any stretch of the imagination, but Ard is out > at the moment and this looks like an important fix so I had a crack at > reviewing it. > >> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c >> index 9c3d86e397bf..1fae18ba11ed 100644 >> --- a/arch/arm64/crypto/poly1305-glue.c >> +++ b/arch/arm64/crypto/poly1305-glue.c >> @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, >> { >> if (unlikely(!dctx->sset)) { >> if (!dctx->rset) { >> - poly1305_init_arch(dctx, src); >> + poly1305_init_arm64(&dctx->h, src); >> src += POLY1305_BLOCK_SIZE; >> len -= POLY1305_BLOCK_SIZE; >> dctx->rset = 1; > > With this change, we no longer initialise dctx->buflen to 0 as part of the > initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried > that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block, > end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is > my ignorance showing? > > Will > . Thanks Will. I noticed this as well, but I leaved it out so that the behavior is the same as the implementation for arm. The buflen here seems to be used for maintaining any excessive data after the last block, and is zeroed during init. I am not sure why it should be zeroed again during key initialization. Maybe the thought was that the very first block of the data is always used for initializing rset and that is also considered to be the "initialization" process for the algorithm, thus the zeroing of buflen. I could be completely wrong though. -- Best GUO Zihua