[PATCH v2] arm64/crypto: poly1305 fix a read out-of-bound
Guozihua (Scott)
guozihua at huawei.com
Wed Jul 20 02:57:30 PDT 2022
On 2022/7/20 17:41, Will Deacon wrote:
> On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote:
>> A kasan error was reported during fuzzing:
>
> [...]
>
>> This patch fixes the issue by calling poly1305_init_arm64() instead of
>> poly1305_init_arch(). This is also the implementation for the same
>> algorithm on arm platform.
>>
>> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation")
>> Cc: stable at vger.kernel.org
>> Signed-off-by: GUO Zihua <guozihua at huawei.com>
>> ---
>> arch/arm64/crypto/poly1305-glue.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> I'm not a crypto guy by any stretch of the imagination, but Ard is out
> at the moment and this looks like an important fix so I had a crack at
> reviewing it.
>
>> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
>> index 9c3d86e397bf..1fae18ba11ed 100644
>> --- a/arch/arm64/crypto/poly1305-glue.c
>> +++ b/arch/arm64/crypto/poly1305-glue.c
>> @@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
>> {
>> if (unlikely(!dctx->sset)) {
>> if (!dctx->rset) {
>> - poly1305_init_arch(dctx, src);
>> + poly1305_init_arm64(&dctx->h, src);
>> src += POLY1305_BLOCK_SIZE;
>> len -= POLY1305_BLOCK_SIZE;
>> dctx->rset = 1;
>
> With this change, we no longer initialise dctx->buflen to 0 as part of the
> initialisation. Looking at neon_poly1305_do_update(), I'm a bit worried
> that we could land in the 'if (likely(len >= POLY1305_BLOCK_SIZE))' block,
> end up with len == 0 and fail to set dctx->buflen. Is this a problem, or is
> my ignorance showing?
>
> Will
> .
Thanks Will.
I noticed this as well, but I leaved it out so that the behavior is the
same as the implementation for arm. The buflen here seems to be used for
maintaining any excessive data after the last block, and is zeroed
during init. I am not sure why it should be zeroed again during key
initialization. Maybe the thought was that the very first block of the
data is always used for initializing rset and that is also considered to
be the "initialization" process for the algorithm, thus the zeroing of
buflen. I could be completely wrong though.
--
Best
GUO Zihua
More information about the linux-arm-kernel
mailing list