Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp162808imi; Wed, 20 Jul 2022 20:07:58 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sXGO6vPjU9C7LlkeGqkaXmUly45GMIX5nYVEBvUVSO/CjbhgH6PTVZKe3L/vKglmWeuC9c X-Received: by 2002:a17:907:3d94:b0:72b:54bc:aa38 with SMTP id he20-20020a1709073d9400b0072b54bcaa38mr38791911ejc.679.1658372878664; Wed, 20 Jul 2022 20:07:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658372878; cv=none; d=google.com; s=arc-20160816; b=An4bD7UllFrHtEHWmL1QWJ1C4PWnQ4a4n8FAqAuon5ZuFqpjQzEemW7lL13gNQ46wz UwARh6z2RCvzZyx7N6cvfr4gSSE4avqstF+87OgyCOfDLZ/3ZtapDPXEYpv8q3a9dyuS SYSC/B3rZu1VZx6emQg5yS1xUC8HcKkcT0QPRUDdWY1hexRCWU4K3jWdLU9nPeq7Ta7x aCb4Ewl1d3hkGAhPfFJrIq9E6DM2JczE3a7airpaRk0LASaqa8f2f82anNuDCBMn+qtO U9pog1uraM70wHmGG1RUomlltDqFNv5Tk+8zHi/X4HyVjYIDZbYGksXasqdgsoOVr3GW ltSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=xbE0e498RpOT697BWZKIY2EFGYUh7orVm5E0LlsB8iw=; b=rPa6NDFHvwQ5Om/+42z7UpoEUSVZvmbpmiOnlB9DcZ9DAuoVVEFXaZ0ZgoLpSdUz0e 7J7ELjTaWmK1uHoi8q1jhRGiqSUouMzJuOLMKQ06vogho87jQq+uQ6dDi2ucT56bIBsc +Dss3IW8TuyH/bdgEkxUrpuRRFBETJ2SM96jJmLPUF3r15NhXAQ9zIiwBFojVAhmR3WJ r/puDqIUCZ/xSfspkfoYVRD/sZTjsg4EB7QA2+E6wcdqaX7zdiFKqHwo/VdsVF6ASV+A stR5Nojrcx7UXLIykM79jEdsybJ9BTEigt/QeztJbgk6hiiOGUkC1X9dGGswQ336YVEr Mxog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MAWGi15W; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w9-20020a056402070900b0043a67b8dc66si826342edx.267.2022.07.20.20.07.27; Wed, 20 Jul 2022 20:07:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MAWGi15W; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231724AbiGUCh0 (ORCPT + 99 others); Wed, 20 Jul 2022 22:37:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231726AbiGUChV (ORCPT ); Wed, 20 Jul 2022 22:37:21 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D714A77547 for ; Wed, 20 Jul 2022 19:37:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 450E86006F for ; Thu, 21 Jul 2022 02:37:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66FF7C341C7; Thu, 21 Jul 2022 02:37:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1658371039; bh=nio2uohUp0eR0gZ5g5Bj68K5/J7oe6DZYxXrqFzgJZg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=MAWGi15WSQCw328cz1F6HitqqRXhgAEvgeVHA40gRrvwnjx/eFIimYwgjpjSj9guD YOQychJedPvP4Y7hFaXZzR3XDhijeHzQ44KJ09veFsFWJB2h5kxCD1p13xQb5XxoT3 CTouDfREJ0tuhrli7SOcM3r7KMnlNhjcVAXjdkC+Cj3I6fKydtAxC6e3CDZxc6TILu JnYw9Rg7FRUhEC9XGKaPNXQthOySWaOz2fiVRa5QIFcUF7jdb/y3AcXdb28LR9JsNv qHPAwIN7zzS7vWtiTowKMGhCUh0Xyo316JnIPxy9yk7vd16QlnDNr1eJG9WKHA/ut9 2ZMrejdMWp3Fg== Date: Wed, 20 Jul 2022 19:37:17 -0700 From: Eric Biggers To: "Guozihua (Scott)" Cc: Will Deacon , linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, catalin.marinas@arm.com Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound Message-ID: References: <20220712075031.29061-1-guozihua@huawei.com> <20220720094116.GC15752@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jul 20, 2022 at 05:57:30PM +0800, Guozihua (Scott) wrote: > On 2022/7/20 17:41, Will Deacon wrote: > > On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote: > > > A kasan error was reported during fuzzing: > > > > [...] > > > > > This patch fixes the issue by calling poly1305_init_arm64() instead of > > > poly1305_init_arch(). This is also the implementation for the same > > > algorithm on arm platform. > > > > > > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: GUO Zihua > > > --- > > > arch/arm64/crypto/poly1305-glue.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > I'm not a crypto guy by any stretch of the imagination, but Ard is out > > at the moment and this looks like an important fix so I had a crack at > > reviewing it. > > > > > diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c > > > index 9c3d86e397bf..1fae18ba11ed 100644 > > > --- a/arch/arm64/crypto/poly1305-glue.c > > > +++ b/arch/arm64/crypto/poly1305-glue.c > > > @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, > > > { > > > if (unlikely(!dctx->sset)) { > > > if (!dctx->rset) { > > > - poly1305_init_arch(dctx, src); > > > + poly1305_init_arm64(&dctx->h, src); > > > src += POLY1305_BLOCK_SIZE; > > > len -= POLY1305_BLOCK_SIZE; > > > dctx->rset = 1; > > > > With this change, we no longer initialise dctx->buflen to 0 as part of the > > initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried > > that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block, > > end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is > > my ignorance showing? > > > > Will > > . > > Thanks Will. > > I noticed this as well, but I leaved it out so that the behavior is the same > as the implementation for arm. The buflen here seems to be used for > maintaining any excessive data after the last block, and is zeroed during > init. I am not sure why it should be zeroed again during key initialization. > Maybe the thought was that the very first block of the data is always used > for initializing rset and that is also considered to be the "initialization" > process for the algorithm, thus the zeroing of buflen. I could be completely > wrong though. > buflen is initialized by neon_poly1305_init(), so there's no issue here. - Eric