[PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound
Guozihua (Scott)
guozihua at huawei.com
Thu Jul 21 20:14:52 PDT 2022
On 2022/7/21 17:28, Will Deacon wrote:
> On Wed, Jul 20, 2022 at 07:37:17PM -0700, Eric Biggers wrote:
>> On Wed, Jul 20, 2022 at 05:57:30PM +0800, Guozihua (Scott) wrote:
>>> On 2022/7/20 17:41, Will Deacon wrote:
>>>> On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote:
>>>>> A kasan error was reported during fuzzing:
>>>>
>>>> [...]
>>>>
>>>>> This patch fixes the issue by calling poly1305_init_arm64() instead of
>>>>> poly1305_init_arch(). This is also the implementation for the same
>>>>> algorithm on arm platform.
>>>>>
>>>>> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation")
>>>>> Cc: stable at vger.kernel.org
>>>>> Signed-off-by: GUO Zihua <guozihua at huawei.com>
>>>>> ---
>>>>> arch/arm64/crypto/poly1305-glue.c | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> I'm not a crypto guy by any stretch of the imagination, but Ard is out
>>>> at the moment and this looks like an important fix so I had a crack at
>>>> reviewing it.
>>>>
>>>>> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
>>>>> index 9c3d86e397bf..1fae18ba11ed 100644
>>>>> --- a/arch/arm64/crypto/poly1305-glue.c
>>>>> +++ b/arch/arm64/crypto/poly1305-glue.c
>>>>> @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
>>>>> {
>>>>> if (unlikely(!dctx->sset)) {
>>>>> if (!dctx->rset) {
>>>>> - poly1305_init_arch(dctx, src);
>>>>> + poly1305_init_arm64(&dctx->h, src);
>>>>> src += POLY1305_BLOCK_SIZE;
>>>>> len -= POLY1305_BLOCK_SIZE;
>>>>> dctx->rset = 1;
>>>>
>>>> With this change, we no longer initialise dctx->buflen to 0 as part of the
>>>> initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried
>>>> that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block,
>>>> end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is
>>>> my ignorance showing?
>>>>
>>>> Will
>>>> .
>>>
>>> Thanks Will.
>>>
>>> I noticed this as well, but I leaved it out so that the behavior is the same
>>> as the implementation for arm. The buflen here seems to be used for
>>> maintaining any excessive data after the last block, and is zeroed during
>>> init. I am not sure why it should be zeroed again during key initialization.
>>> Maybe the thought was that the very first block of the data is always used
>>> for initializing rset and that is also considered to be the "initialization"
>>> process for the algorithm, thus the zeroing of buflen. I could be completely
>>> wrong though.
>>>
>>
>> buflen is initialized by neon_poly1305_init(), so there's no issue here.
>
> Ah yes, thanks. I missed that. In which case, for the very little it's
> worth:
>
> Acked-by: Will Deacon <will at kernel.org>
>
> Herbert, please can you pick this up?
>
> Will
> .
Thanks Will.
Herbert, would you please wait for a v3 patch? I'll update the reproduce
example based on Eric's comment.
--
Best
GUO Zihua
More information about the linux-arm-kernel
mailing list