Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp21912rdb;
        Wed, 21 Feb 2024 15:38:05 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXpUUBmRgeTq4o7gl9cJk7BJYE37/uWYVSthx7qSReVUXVVAbsLENzFZvFcPjChOMlWTnVeo7HvkvocnWDyO7xqe4WM5a+jx/9ioKLdIw==
X-Google-Smtp-Source: AGHT+IEhNOOJvSYdHYX0hoX4GRpCRBTSwOhpx14xkvuXrzXNbH3lvUr+9CmomJOg0ixpPxzKPmoL
X-Received: by 2002:a05:6a00:c8c:b0:6e4:8b55:68b1 with SMTP id a12-20020a056a000c8c00b006e48b5568b1mr1269267pfv.1.1708558685351;
        Wed, 21 Feb 2024 15:38:05 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708558685; cv=pass;
        d=google.com; s=arc-20160816;
        b=Lp3FCHGZORmyiEIRib+z3jFI53USbxcsXM6GH+1ShYBjsPYFkipJFg6RbPxiAiAa73
         NioAmnoveTeeSVP2S40fdYqJ5wMbZ7FkolDU/LcK/tPJuemuZlDivYES8pNA9EI5yyKr
         znAVxIPvwjMKxcSDyGlaZSYT3Adif8+l3ogPVgJyKGaRf47eKYxCYJEZT8VZRBHU8IUx
         N0xhzZQBhsYH5vDCUJBdiX5WjE09vIRPXboEApCo10VkAmCameAsuT7gvyqiMxAl3+pV
         k5MjPuCh9rmNIt/B/3n/FfzyKM1Xup7tFxZfJnM6nzzEo6rmpZbiUg4X6f5eC8F/3Ox3
         2EFw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :dkim-signature;
        bh=eC9YzG/osYE7EqPssJnkuCd+QUFGw3xAXVUTqBZAD+Q=;
        fh=mdHcR8Nv3Z3lm4L9oywj9EWbcazNSjbohBcYvEmgHhE=;
        b=nxS8iKiiMNeHEOe/jstcOdYNxSbQg40V6OZVypCija0V/PJRnv0l5lwibHDNGOMJ1B
         QBUsq46zMI9RXhyqD7LvY+QMAErM7cjcvlQSExpxm4R4kL47IOC4KjbKZEZg8eVK/yPV
         NboONYGev+fFrsMsOPki9BFvP27atGkYAzwda/3F8y3lfzVCEUeoaQdyMKQkyG+pXP6C
         6EfkJl4Xe259mNUkEX0ZQvBAQOn5zgWG7b1M7rKlgDryZAjnUJGpbRhtsmfkj+CF45uu
         3Vd5U0iqNPf3deLGY9hfD44wGFVmMuDwm+8QTDGas/VP92PEyA8uUcurvusQMbvWxBZ8
         O/JA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UaKnizN0;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id eb2-20020a056a004c8200b006e4ca8368e1si150542pfb.267.2024.02.21.15.38.05
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Feb 2024 15:38:05 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UaKnizN0;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1445628357C
	for <linux.lists.archive@gmail.com>; Wed, 21 Feb 2024 23:38:05 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B4AF31292FC;
	Wed, 21 Feb 2024 23:38:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="UaKnizN0"
X-Original-To: linux-crypto@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 718FB126F00;
	Wed, 21 Feb 2024 23:38:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708558681; cv=none; b=n3TP5VtTZ6LN/cdGeXXIIhHA3q69R4bRc/7uKSub9S0DyA218S+E6ZySW3/ZXf3r4YcdXX5getksYs4XI7NQ6wonNbf/NBBzUBqnlWHhqKxQSDPEEkBacMasBC3yV7zLtjjI1br963H4nEfmOaZZVnm7Ep7M6mnhyS3mgl9O35I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708558681; c=relaxed/simple;
	bh=WAXaGEI2juxPFHl35+ioThue0wtLioF1NPhr5VM0UkQ=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=V1tZ+v/80EnoR4EOsNcQhTf4Z1Cuco6zRbfgZc8GHb7ZxSuidZjkFYov2DgnIx/w0MhcnGxAiqx26UjrCGhn42kcSIZkLwsUSYXnU9U4i54606zXGxu8kklGeTintN/RylRERqojEJ5ocWQ2Ix5dvfkPhiZx3iXtjgEhvzvy9oM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=UaKnizN0; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBD99C433C7;
	Wed, 21 Feb 2024 23:38:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1708558680;
	bh=WAXaGEI2juxPFHl35+ioThue0wtLioF1NPhr5VM0UkQ=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=UaKnizN0x8enyIettGm+0P9IFjEgQle8zT06jCvWpkm0F+ga7+XKvPsmE4mZiHQS0
	 BtxooqOJbBXO+orTooSB2dk79aZLlvx55IOj7iMoQ9tC+gsYfVrezizdGqzykHDM65
	 0LpbaMrtIPBHN9vTlzpMdStwUdJ2V4OR2UfX1Ac/x/on6gneACcmSeU3wtNoGE0mrs
	 VPnn8nOwxumtIm+12Av4cOyLGvpx/2j2iEPpNXKDNgj5wjwxJ6vCXxb61c0IQUrpye
	 qbXyG8P5/wJymdr3qpppBsIvqcv00sWt0t9VowKXp7K+bJlG8Vb6SLL40fRKNJwAJF
	 WK4CLvUEnGkCA==
Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-511ac32fe38so11071978e87.1;
        Wed, 21 Feb 2024 15:38:00 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCUcV2BLMgAGEuaU81K8xVwOmrrFx2ZSjxRqVw/Sl38dghL5Qp0rQICtHRLl75pGwnqyVh4JaADGLWAW9dgvGjMEHXJTg64H
X-Gm-Message-State: AOJu0YzmTdmtreZ98JyH1G8WYfXAkxwvc6Jf1Mvrv8jFj/q1CyQy5v9S
	oncY+kMn6QUUtiPxIWM5miQvlSxt7mH+ix32DHN9+GXJ3pBKL+tLez4VvGr02rf7/cTUTWI3vvH
	FGl/XIjYjfkE9jJ9Y6YGYHz0sG4M=
X-Received: by 2002:a05:6512:3a83:b0:512:b04a:aa56 with SMTP id
 q3-20020a0565123a8300b00512b04aaa56mr10911020lfu.24.1708558679072; Wed, 21
 Feb 2024 15:37:59 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240217161151.3987164-2-ardb+git@google.com>
In-Reply-To: <20240217161151.3987164-2-ardb+git@google.com>
From: Ard Biesheuvel <ardb@kernel.org>
Date: Thu, 22 Feb 2024 00:37:45 +0100
X-Gmail-Original-Message-ID: <CAMj1kXH+k4Z_iowxp+t=yU4tQFwLYjQxAQ92bga-xeZxE734BA@mail.gmail.com>
Message-ID: <CAMj1kXH+k4Z_iowxp+t=yU4tQFwLYjQxAQ92bga-xeZxE734BA@mail.gmail.com>
Subject: Re: [PATCH] crypto: arm64/neonbs - fix out-of-bounds access on short input
To: Ard Biesheuvel <ardb+git@google.com>
Cc: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, 
	stable@vger.kernel.org, syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"

On Sat, 17 Feb 2024 at 17:12, Ard Biesheuvel <ardb+git@google.com> wrote:
>
> From: Ard Biesheuvel <ardb@kernel.org>
>
> The bit-sliced implementation of AES-CTR operates on blocks of 128
> bytes, and will fall back to the plain NEON version for tail blocks or
> inputs that are shorter than 128 bytes to begin with.
>
> It will call straight into the plain NEON asm helper, which performs all
> memory accesses in granules of 16 bytes (the size of a NEON register).
> For this reason, the associated plain NEON glue code will copy inputs
> shorter than 16 bytes into a temporary buffer, given that this is a rare
> occurrence and it is not worth the effort to work around this in the asm
> code.
>
> The fallback from the bit-sliced NEON version fails to take this into
> account, potentially resulting in out-of-bounds accesses. So clone the
> same workaround, and use a temp buffer for short in/outputs.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
> Tested-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

Ping?

> ---
>  arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c
> index bac4cabef607..849dc41320db 100644
> --- a/arch/arm64/crypto/aes-neonbs-glue.c
> +++ b/arch/arm64/crypto/aes-neonbs-glue.c
> @@ -227,8 +227,19 @@ static int ctr_encrypt(struct skcipher_request *req)
>                         src += blocks * AES_BLOCK_SIZE;
>                 }
>                 if (nbytes && walk.nbytes == walk.total) {
> +                       u8 buf[AES_BLOCK_SIZE];
> +                       u8 *d = dst;
> +
> +                       if (unlikely(nbytes < AES_BLOCK_SIZE))
> +                               src = dst = memcpy(buf + sizeof(buf) - nbytes,
> +                                                  src, nbytes);
> +
>                         neon_aes_ctr_encrypt(dst, src, ctx->enc, ctx->key.rounds,
>                                              nbytes, walk.iv);
> +
> +                       if (unlikely(nbytes < AES_BLOCK_SIZE))
> +                               memcpy(d, buf + sizeof(buf) - nbytes, nbytes);
> +
>                         nbytes = 0;
>                 }
>                 kernel_neon_end();
> --
> 2.44.0.rc0.258.g7320e95886-goog
>