Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp367105imi; Thu, 21 Jul 2022 02:32:17 -0700 (PDT) X-Google-Smtp-Source: AGRyM1udM9F9trUP4CHbm2D+UzMDn+QvzqV5nw9q+0Nral+8BGVkXUoQIG5KLLfotz3mzCETnOZ3 X-Received: by 2002:a63:f91e:0:b0:419:e9dd:6d97 with SMTP id h30-20020a63f91e000000b00419e9dd6d97mr26848916pgi.116.1658395936761; Thu, 21 Jul 2022 02:32:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658395936; cv=none; d=google.com; s=arc-20160816; b=MGkJZZEZPMRKJyrentA5QKnbov3Nh2dllKLjXKUwGSr4HiyIPL3zbmjHfIyQQn4S+2 rTYP6fINOazXlty4d+5mZzDx22zSsnrThAOj2qW59/em/LDi0jNZd3yyyCchHLGozIbr fRtHtJJziDy/Xkj0cz1pIFOp1kWa6NEF9G4J+AyPdDWjmbzKM2Mh2QS46WveiUs1D1vb OS/7m3ZjaaBH9Rqi4Ft8mYonrrazGvHQBWuL7kdJs394mKP5kPWKj88YgLodY1gtmRxK znX8Rzg6uGM/oDwXHZq0r2yTRgy/NShtXRwD6xlwn4SxJrHzVjSxs9eAsTSyray0nuEz m7Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=FkulQKDJIVrqV6gAdS/cDc1TqgZnDgOcpELugaFvkxo=; b=vgdj9OfWeig32fUX2LtS2fnQbpWm6J6aTlC0oFBSTtcuXANI0HSAXlzmfs8AEiDRYC vdpE2JDaMFn5sE451nDDAfnuqDSXZzcYRe0ZJYoua4BSRRt7/DafeN8fEMqY+IT8SCp/ 8m4UlOCv53D7b0cxvlKfx10QpMiQMcK/RZxf2IaQjDumRqCPs4fnyIMBE4/Is25SVAgs sCgmK+v4t4KhBkyliLRz9AXVB2/RxwibEG1xOJeAKlHnTOc0wZI9Wge8HMnShxB/bIVH ha541xE4w43jY0ATb1kzKL2Ux877LhJKKROaZ/herI8e24F6abyAXEqIKSuTMm7kArIo aHBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eUaFp8AF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f20-20020a056a001ad400b00525421f9c3dsi2061311pfv.370.2022.07.21.02.31.49; Thu, 21 Jul 2022 02:32:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eUaFp8AF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232526AbiGUJ3O (ORCPT + 99 others); Thu, 21 Jul 2022 05:29:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232035AbiGUJ3K (ORCPT ); Thu, 21 Jul 2022 05:29:10 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7995A77A44 for ; Thu, 21 Jul 2022 02:29:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2491A61F43 for ; Thu, 21 Jul 2022 09:29:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 09568C3411E; Thu, 21 Jul 2022 09:29:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1658395744; bh=KEw8DJskb+PpDSC3YoCIg+9N695Dji/DNPBN8KYVkdc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=eUaFp8AFW8YXdERoEetTOLC2u7uiXq+CUrIREd5VD4Nboma6aOESnnLdhd1VMD8+7 xEyfmrqCCHDadu+ZfzNwj5zT9BK6wGHkDm+/wymgvf1LTuBzJn6oXSWJSF/VQcax/z rsSqQrVIYroUuzub1cDHflSRnc52TpbB4A10b+E6cWM0L10rftBYegVqgWQdaRdziB tJKaJGX6Zepam4sCaU0lD+W4uKubmdkccYwnD8EumgdBbHg9qR/hxlYIhGmgGuSWQ+ 9ZhUn3svn5MT635ySRz44gUe3XfyvA72NXYtYdYApAHki24Gi3N7NlzDFhsumrhaWX 1Ouy/OC8thbLw== Date: Thu, 21 Jul 2022 10:28:58 +0100 From: Will Deacon To: Eric Biggers Cc: "Guozihua (Scott)" , linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, catalin.marinas@arm.com Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound Message-ID: <20220721092858.GA17088@willie-the-truck> References: <20220712075031.29061-1-guozihua@huawei.com> <20220720094116.GC15752@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jul 20, 2022 at 07:37:17PM -0700, Eric Biggers wrote: > On Wed, Jul 20, 2022 at 05:57:30PM +0800, Guozihua (Scott) wrote: > > On 2022/7/20 17:41, Will Deacon wrote: > > > On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote: > > > > A kasan error was reported during fuzzing: > > > > > > [...] > > > > > > > This patch fixes the issue by calling poly1305_init_arm64() instead of > > > > poly1305_init_arch(). This is also the implementation for the same > > > > algorithm on arm platform. > > > > > > > > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: GUO Zihua > > > > --- > > > > arch/arm64/crypto/poly1305-glue.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > I'm not a crypto guy by any stretch of the imagination, but Ard is out > > > at the moment and this looks like an important fix so I had a crack at > > > reviewing it. > > > > > > > diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c > > > > index 9c3d86e397bf..1fae18ba11ed 100644 > > > > --- a/arch/arm64/crypto/poly1305-glue.c > > > > +++ b/arch/arm64/crypto/poly1305-glue.c > > > > @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, > > > > { > > > > if (unlikely(!dctx->sset)) { > > > > if (!dctx->rset) { > > > > - poly1305_init_arch(dctx, src); > > > > + poly1305_init_arm64(&dctx->h, src); > > > > src += POLY1305_BLOCK_SIZE; > > > > len -= POLY1305_BLOCK_SIZE; > > > > dctx->rset = 1; > > > > > > With this change, we no longer initialise dctx->buflen to 0 as part of the > > > initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried > > > that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block, > > > end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is > > > my ignorance showing? > > > > > > Will > > > . > > > > Thanks Will. > > > > I noticed this as well, but I leaved it out so that the behavior is the same > > as the implementation for arm. The buflen here seems to be used for > > maintaining any excessive data after the last block, and is zeroed during > > init. I am not sure why it should be zeroed again during key initialization. > > Maybe the thought was that the very first block of the data is always used > > for initializing rset and that is also considered to be the "initialization" > > process for the algorithm, thus the zeroing of buflen. I could be completely > > wrong though. > > > > buflen is initialized by neon_poly1305_init(), so there's no issue here. Ah yes, thanks. I missed that. In which case, for the very little it's worth: Acked-by: Will Deacon Herbert, please can you pick this up? Will