Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp21912rdb; Wed, 21 Feb 2024 15:38:05 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXpUUBmRgeTq4o7gl9cJk7BJYE37/uWYVSthx7qSReVUXVVAbsLENzFZvFcPjChOMlWTnVeo7HvkvocnWDyO7xqe4WM5a+jx/9ioKLdIw== X-Google-Smtp-Source: AGHT+IEhNOOJvSYdHYX0hoX4GRpCRBTSwOhpx14xkvuXrzXNbH3lvUr+9CmomJOg0ixpPxzKPmoL X-Received: by 2002:a05:6a00:c8c:b0:6e4:8b55:68b1 with SMTP id a12-20020a056a000c8c00b006e48b5568b1mr1269267pfv.1.1708558685351; Wed, 21 Feb 2024 15:38:05 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708558685; cv=pass; d=google.com; s=arc-20160816; b=Lp3FCHGZORmyiEIRib+z3jFI53USbxcsXM6GH+1ShYBjsPYFkipJFg6RbPxiAiAa73 NioAmnoveTeeSVP2S40fdYqJ5wMbZ7FkolDU/LcK/tPJuemuZlDivYES8pNA9EI5yyKr znAVxIPvwjMKxcSDyGlaZSYT3Adif8+l3ogPVgJyKGaRf47eKYxCYJEZT8VZRBHU8IUx N0xhzZQBhsYH5vDCUJBdiX5WjE09vIRPXboEApCo10VkAmCameAsuT7gvyqiMxAl3+pV k5MjPuCh9rmNIt/B/3n/FfzyKM1Xup7tFxZfJnM6nzzEo6rmpZbiUg4X6f5eC8F/3Ox3 2EFw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=eC9YzG/osYE7EqPssJnkuCd+QUFGw3xAXVUTqBZAD+Q=; fh=mdHcR8Nv3Z3lm4L9oywj9EWbcazNSjbohBcYvEmgHhE=; b=nxS8iKiiMNeHEOe/jstcOdYNxSbQg40V6OZVypCija0V/PJRnv0l5lwibHDNGOMJ1B QBUsq46zMI9RXhyqD7LvY+QMAErM7cjcvlQSExpxm4R4kL47IOC4KjbKZEZg8eVK/yPV NboONYGev+fFrsMsOPki9BFvP27atGkYAzwda/3F8y3lfzVCEUeoaQdyMKQkyG+pXP6C 6EfkJl4Xe259mNUkEX0ZQvBAQOn5zgWG7b1M7rKlgDryZAjnUJGpbRhtsmfkj+CF45uu 3Vd5U0iqNPf3deLGY9hfD44wGFVmMuDwm+8QTDGas/VP92PEyA8uUcurvusQMbvWxBZ8 O/JA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UaKnizN0; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id eb2-20020a056a004c8200b006e4ca8368e1si150542pfb.267.2024.02.21.15.38.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 15:38:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UaKnizN0; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-2236-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1445628357C for ; Wed, 21 Feb 2024 23:38:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B4AF31292FC; Wed, 21 Feb 2024 23:38:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="UaKnizN0" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 718FB126F00; Wed, 21 Feb 2024 23:38:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708558681; cv=none; b=n3TP5VtTZ6LN/cdGeXXIIhHA3q69R4bRc/7uKSub9S0DyA218S+E6ZySW3/ZXf3r4YcdXX5getksYs4XI7NQ6wonNbf/NBBzUBqnlWHhqKxQSDPEEkBacMasBC3yV7zLtjjI1br963H4nEfmOaZZVnm7Ep7M6mnhyS3mgl9O35I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708558681; c=relaxed/simple; bh=WAXaGEI2juxPFHl35+ioThue0wtLioF1NPhr5VM0UkQ=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=V1tZ+v/80EnoR4EOsNcQhTf4Z1Cuco6zRbfgZc8GHb7ZxSuidZjkFYov2DgnIx/w0MhcnGxAiqx26UjrCGhn42kcSIZkLwsUSYXnU9U4i54606zXGxu8kklGeTintN/RylRERqojEJ5ocWQ2Ix5dvfkPhiZx3iXtjgEhvzvy9oM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=UaKnizN0; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBD99C433C7; Wed, 21 Feb 2024 23:38:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708558680; bh=WAXaGEI2juxPFHl35+ioThue0wtLioF1NPhr5VM0UkQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=UaKnizN0x8enyIettGm+0P9IFjEgQle8zT06jCvWpkm0F+ga7+XKvPsmE4mZiHQS0 BtxooqOJbBXO+orTooSB2dk79aZLlvx55IOj7iMoQ9tC+gsYfVrezizdGqzykHDM65 0LpbaMrtIPBHN9vTlzpMdStwUdJ2V4OR2UfX1Ac/x/on6gneACcmSeU3wtNoGE0mrs VPnn8nOwxumtIm+12Av4cOyLGvpx/2j2iEPpNXKDNgj5wjwxJ6vCXxb61c0IQUrpye qbXyG8P5/wJymdr3qpppBsIvqcv00sWt0t9VowKXp7K+bJlG8Vb6SLL40fRKNJwAJF WK4CLvUEnGkCA== Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-511ac32fe38so11071978e87.1; Wed, 21 Feb 2024 15:38:00 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCUcV2BLMgAGEuaU81K8xVwOmrrFx2ZSjxRqVw/Sl38dghL5Qp0rQICtHRLl75pGwnqyVh4JaADGLWAW9dgvGjMEHXJTg64H X-Gm-Message-State: AOJu0YzmTdmtreZ98JyH1G8WYfXAkxwvc6Jf1Mvrv8jFj/q1CyQy5v9S oncY+kMn6QUUtiPxIWM5miQvlSxt7mH+ix32DHN9+GXJ3pBKL+tLez4VvGr02rf7/cTUTWI3vvH FGl/XIjYjfkE9jJ9Y6YGYHz0sG4M= X-Received: by 2002:a05:6512:3a83:b0:512:b04a:aa56 with SMTP id q3-20020a0565123a8300b00512b04aaa56mr10911020lfu.24.1708558679072; Wed, 21 Feb 2024 15:37:59 -0800 (PST) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240217161151.3987164-2-ardb+git@google.com> In-Reply-To: <20240217161151.3987164-2-ardb+git@google.com> From: Ard Biesheuvel Date: Thu, 22 Feb 2024 00:37:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] crypto: arm64/neonbs - fix out-of-bounds access on short input To: Ard Biesheuvel Cc: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, stable@vger.kernel.org, syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" On Sat, 17 Feb 2024 at 17:12, Ard Biesheuvel wrote: > > From: Ard Biesheuvel > > The bit-sliced implementation of AES-CTR operates on blocks of 128 > bytes, and will fall back to the plain NEON version for tail blocks or > inputs that are shorter than 128 bytes to begin with. > > It will call straight into the plain NEON asm helper, which performs all > memory accesses in granules of 16 bytes (the size of a NEON register). > For this reason, the associated plain NEON glue code will copy inputs > shorter than 16 bytes into a temporary buffer, given that this is a rare > occurrence and it is not worth the effort to work around this in the asm > code. > > The fallback from the bit-sliced NEON version fails to take this into > account, potentially resulting in out-of-bounds accesses. So clone the > same workaround, and use a temp buffer for short in/outputs. > > Cc: > Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com > Tested-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com > Signed-off-by: Ard Biesheuvel Ping? > --- > arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c > index bac4cabef607..849dc41320db 100644 > --- a/arch/arm64/crypto/aes-neonbs-glue.c > +++ b/arch/arm64/crypto/aes-neonbs-glue.c > @@ -227,8 +227,19 @@ static int ctr_encrypt(struct skcipher_request *req) > src += blocks * AES_BLOCK_SIZE; > } > if (nbytes && walk.nbytes == walk.total) { > + u8 buf[AES_BLOCK_SIZE]; > + u8 *d = dst; > + > + if (unlikely(nbytes < AES_BLOCK_SIZE)) > + src = dst = memcpy(buf + sizeof(buf) - nbytes, > + src, nbytes); > + > neon_aes_ctr_encrypt(dst, src, ctx->enc, ctx->key.rounds, > nbytes, walk.iv); > + > + if (unlikely(nbytes < AES_BLOCK_SIZE)) > + memcpy(d, buf + sizeof(buf) - nbytes, nbytes); > + > nbytes = 0; > } > kernel_neon_end(); > -- > 2.44.0.rc0.258.g7320e95886-goog >