Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp5299490imw;
        Wed, 20 Jul 2022 03:03:31 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vfhMM75Nw5SE46z8MCyAnFRVCspr38iXcqbV37Jwm+oIg36+w3H5lytrbMuZgVRRZj6jdt
X-Received: by 2002:a05:6402:2816:b0:434:ed38:16f3 with SMTP id h22-20020a056402281600b00434ed3816f3mr49874876ede.116.1658311411504;
        Wed, 20 Jul 2022 03:03:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658311411; cv=none;
        d=google.com; s=arc-20160816;
        b=S+bvZN3l6ZJirjBZBsV45RyJDevCGixmowQdgb/Z+s9XJ3VMULxyRGfCPtn6HbSxpd
         4yDhuP1BSBFZB84gwAIjuJyb8WjEajqecEEG0tMSMAYE0gvMG6BfLKzFfBkg+i+1njbd
         I7VukdHPpgWauZfLTRUT1VRXWh4AHO+saDtq8zQGFiBzVf1g89ryKiUk5Gvro1gNjG6r
         1BsT0M4YKjAEBJbCOVVf8UuyUZfCU9QlmcIfJlfUwqaVFVHQ4vCnYDWezjEhSSakRZND
         BgZRGSGDa6d8P7eWZoN/c9QvsA7ZL1biU13JA2PV0KW5H455rFU7BqBjZZvCsdQI8GM2
         Xmtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=6Hqb1gOaPW8ctsL4J2UtyrwBWxNcnqOIOlj36r3TrTg=;
        b=MIZXt2xl/UMj6w0ucYeBx2uGZsqm0yfcHYcdOz3Sp3eCjM9b8JwDrsjuiiGIj6Y9cq
         bNPnp092QFbzBvszf6zBf4I3Sy4COxqhy3iH57OUlhwHCQeLqHiL62/aUbN6zBYLeBmT
         Tg2B7EYnWZ9CGj7s6GwWaOeQ3C/DkNogoPzi7tjnisWFPu9+DDFSx8pkNIyBldgovz22
         0S8MfbRgGYwA9OGAOXh4CkBsffUBiO8pTM3SnqLfejZ0hD9IKzHNnQkvfX58j0+BRooU
         6Zrp99VJS6E9prMidfiVIsvySwABelqoYgVz2PltDKcctMOYUGKd0Cwg4rxuSYZmbBx+
         Mbbw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ne26-20020a1709077b9a00b0072b67a5560fsi1513160ejc.1005.2022.07.20.03.02.58;
        Wed, 20 Jul 2022 03:03:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230101AbiGTJ5f (ORCPT <rfc822;asvdem@gmail.com> + 99 others);
        Wed, 20 Jul 2022 05:57:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53838 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229523AbiGTJ5e (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 20 Jul 2022 05:57:34 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52E8612A84
        for <linux-crypto@vger.kernel.org>; Wed, 20 Jul 2022 02:57:33 -0700 (PDT)
Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.56])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Lnrcl192pzWf0x;
        Wed, 20 Jul 2022 17:53:43 +0800 (CST)
Received: from [10.67.110.173] (10.67.110.173) by
 dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 20 Jul 2022 17:57:31 +0800
Message-ID: <a29cb083-0305-3467-976c-e541daefc5e8@huawei.com>
Date:   Wed, 20 Jul 2022 17:57:30 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.0
Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound
Content-Language: en-US
To:     Will Deacon <will@kernel.org>
CC:     <linux-crypto@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
        <catalin.marinas@arm.com>, <ebiggers@kernel.org>
References: <20220712075031.29061-1-guozihua@huawei.com>
 <20220720094116.GC15752@willie-the-truck>
From:   "Guozihua (Scott)" <guozihua@huawei.com>
In-Reply-To: <20220720094116.GC15752@willie-the-truck>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.67.110.173]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 dggpemm500024.china.huawei.com (7.185.36.203)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On 2022/7/20 17:41, Will Deacon wrote:
> On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote:
>> A kasan error was reported during fuzzing:
> 
> [...]
> 
>> This patch fixes the issue by calling poly1305_init_arm64() instead of
>> poly1305_init_arch(). This is also the implementation for the same
>> algorithm on arm platform.
>>
>> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: GUO Zihua <guozihua@huawei.com>
>> ---
>>   arch/arm64/crypto/poly1305-glue.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> I'm not a crypto guy by any stretch of the imagination, but Ard is out
> at the moment and this looks like an important fix so I had a crack at
> reviewing it.
> 
>> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
>> index 9c3d86e397bf..1fae18ba11ed 100644
>> --- a/arch/arm64/crypto/poly1305-glue.c
>> +++ b/arch/arm64/crypto/poly1305-glue.c
>> @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
>>   {
>>   	if (unlikely(!dctx->sset)) {
>>   		if (!dctx->rset) {
>> -			poly1305_init_arch(dctx, src);
>> +			poly1305_init_arm64(&dctx->h, src);
>>   			src += POLY1305_BLOCK_SIZE;
>>   			len -= POLY1305_BLOCK_SIZE;
>>   			dctx->rset = 1;
> 
> With this change, we no longer initialise dctx->buflen to 0 as part of the
> initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried
> that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block,
> end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is
> my ignorance showing?
> 
> Will
> .

Thanks Will.

I noticed this as well, but I leaved it out so that the behavior is the 
same as the implementation for arm. The buflen here seems to be used for 
maintaining any excessive data after the last block, and is zeroed 
during init. I am not sure why it should be zeroed again during key 
initialization. Maybe the thought was that the very first block of the 
data is always used for initializing rset and that is also considered to 
be the "initialization" process for the algorithm, thus the zeroing of 
buflen. I could be completely wrong though.

-- 
Best
GUO Zihua