Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp230984imi; Thu, 21 Jul 2022 20:23:10 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vHMlCz2xNS+sK/EG7LK4GR2QwftAfeBqQ5ZVVhk3SwCXG5NhzhLyvSg8hk++LOs1tb6ebH X-Received: by 2002:a17:90a:d506:b0:1f0:74ba:9775 with SMTP id t6-20020a17090ad50600b001f074ba9775mr1750267pju.151.1658460190466; Thu, 21 Jul 2022 20:23:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658460190; cv=none; d=google.com; s=arc-20160816; b=xuoo8yF/TchvMN7hOVwdQJLf1cVl+Lf4zltOQugUHnfbzTkrjzVrhNEv/tD+CyPyKt orpa+TPQ1qSffC9iGN5tQ14LSIEetjZH4D37NYbOCfAkgUlzCL59UJlbR2Et8keb/uHd ucm3HGKjLgCeET7wRLqnPUue5ajVozRn7/zojcz7TTWqpi9CU3XaytDj8R7maEgvfAsG +3aTY99IwmnV0chzGDc+J5wgSmNFR1N+g0/SU2g8nQmNeWt9XI+qgZ3lCHrp92lVomzm jUjsZl8MNmSr2bUnNGKfi4GgjxYUfrUUzOZTSCMnR8rif2kxCf/nRvF5SYNHLsqH6VBN 2jjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=bmRT4xy2RnwJy/Q6g3PMgU19dHlFMoNz2ECWoNt119E=; b=iIufvBzb1KGRISqmrSiW2b7ay0lP3w14Ew8X9f/Z1rF1/UBmFLf68QJpq4Geb9yhlO hFByNFUk1N5DVhyrpYEyLZxE3HDbHticm77aetiIJ3JB+yZUQe7yh5dLsJEXMwdlbW6Q gRm6cLE8jWEOgYLUPihC8o3aoRvTwQtydUKbOzgoeFn3umaT4QN+uqVOU/dfBvxnOqQy FbaLh4JmkLFzOcMxEQNgRh56l5kP9osl36lo7pNyenF5SNqd/Ot329c4v52TXkU9IUKl Pb6nnzT4zWMcbpZpHlJXaNa/IvM7ikV2+b21WqKNQhq+tM5Z9DTXDy7USp6uvN6mYSev qySw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l24-20020a639858000000b0041a5a805ef8si4205674pgo.118.2022.07.21.20.22.42; Thu, 21 Jul 2022 20:23:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231548AbiGVDO6 (ORCPT + 99 others); Thu, 21 Jul 2022 23:14:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230367AbiGVDO5 (ORCPT ); Thu, 21 Jul 2022 23:14:57 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C41E23167 for ; Thu, 21 Jul 2022 20:14:55 -0700 (PDT) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Lpvcq75K3zkXQd; Fri, 22 Jul 2022 11:12:27 +0800 (CST) Received: from [10.67.110.173] (10.67.110.173) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 22 Jul 2022 11:14:52 +0800 Message-ID: <6eb023d2-ba6a-c033-9d16-e03d3e5fa286@huawei.com> Date: Fri, 22 Jul 2022 11:14:52 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound Content-Language: en-US To: Will Deacon , Eric Biggers CC: , , , , References: <20220712075031.29061-1-guozihua@huawei.com> <20220720094116.GC15752@willie-the-truck> <20220721092858.GA17088@willie-the-truck> From: "Guozihua (Scott)" In-Reply-To: <20220721092858.GA17088@willie-the-truck> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.110.173] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm500024.china.huawei.com (7.185.36.203) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 2022/7/21 17:28, Will Deacon wrote: > On Wed, Jul 20, 2022 at 07:37:17PM -0700, Eric Biggers wrote: >> On Wed, Jul 20, 2022 at 05:57:30PM +0800, Guozihua (Scott) wrote: >>> On 2022/7/20 17:41, Will Deacon wrote: >>>> On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote: >>>>> A kasan error was reported during fuzzing: >>>> >>>> [...] >>>> >>>>> This patch fixes the issue by calling poly1305_init_arm64() instead of >>>>> poly1305_init_arch(). This is also the implementation for the same >>>>> algorithm on arm platform. >>>>> >>>>> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") >>>>> Cc: stable@vger.kernel.org >>>>> Signed-off-by: GUO Zihua >>>>> --- >>>>> arch/arm64/crypto/poly1305-glue.c | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> I'm not a crypto guy by any stretch of the imagination, but Ard is out >>>> at the moment and this looks like an important fix so I had a crack at >>>> reviewing it. >>>> >>>>> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c >>>>> index 9c3d86e397bf..1fae18ba11ed 100644 >>>>> --- a/arch/arm64/crypto/poly1305-glue.c >>>>> +++ b/arch/arm64/crypto/poly1305-glue.c >>>>> @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, >>>>> { >>>>> if (unlikely(!dctx->sset)) { >>>>> if (!dctx->rset) { >>>>> - poly1305_init_arch(dctx, src); >>>>> + poly1305_init_arm64(&dctx->h, src); >>>>> src += POLY1305_BLOCK_SIZE; >>>>> len -= POLY1305_BLOCK_SIZE; >>>>> dctx->rset = 1; >>>> >>>> With this change, we no longer initialise dctx->buflen to 0 as part of the >>>> initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried >>>> that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block, >>>> end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is >>>> my ignorance showing? >>>> >>>> Will >>>> . >>> >>> Thanks Will. >>> >>> I noticed this as well, but I leaved it out so that the behavior is the same >>> as the implementation for arm. The buflen here seems to be used for >>> maintaining any excessive data after the last block, and is zeroed during >>> init. I am not sure why it should be zeroed again during key initialization. >>> Maybe the thought was that the very first block of the data is always used >>> for initializing rset and that is also considered to be the "initialization" >>> process for the algorithm, thus the zeroing of buflen. I could be completely >>> wrong though. >>> >> >> buflen is initialized by neon_poly1305_init(), so there's no issue here. > > Ah yes, thanks. I missed that. In which case, for the very little it's > worth: > > Acked-by: Will Deacon > > Herbert, please can you pick this up? > > Will > . Thanks Will. Herbert, would you please wait for a v3 patch? I'll update the reproduce example based on Eric's comment. -- Best GUO Zihua