Re: [PATCH v2 2/2] crypto: Fix out-of-bounds access of the AAD buffer in generic-gcm-aesni

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: Junaid Shahid <junaids@google.com>
Cc: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
	andreslc@google.com, davem@davemloft.net, gthelen@google.com
Subject: Re: [PATCH v2 2/2] crypto: Fix out-of-bounds access of the AAD buffer in generic-gcm-aesni
Date: Wed, 20 Dec 2017 13:12:54 -0800	[thread overview]
Message-ID: <20171220211254.GB38504@gmail.com> (raw)
In-Reply-To: <2283674.Cix72tvP9W@js-desktop.svl.corp.google.com>

On Wed, Dec 20, 2017 at 11:35:44AM -0800, Junaid Shahid wrote:
> On Wednesday, December 20, 2017 12:42:10 AM PST Eric Biggers wrote:
> > > -_get_AAD_rest0\num_initial_blocks\operation:
> > > -	/* finalize: shift out the extra bytes we read, and align
> > > -	left. since pslldq can only shift by an immediate, we use
> > > -	vpshufb and an array of shuffle masks */
> > > -	movq	   %r12, %r11
> > > -	salq	   $4, %r11
> > > -	movdqu	   aad_shift_arr(%r11), \TMP1
> > > -	PSHUFB_XMM \TMP1, %xmm\i
> > 
> > aad_shift_arr is no longer used, so it should be removed.
> 
> Ack.
> 
> > 
> > > -_get_AAD_rest_final\num_initial_blocks\operation:
> > > +	READ_PARTIAL_BLOCK %r10, %r12, %r11, \TMP1, \TMP2, %xmm\i
> > 
> > It seems that INITIAL_BLOCKS_DEC and INITIAL_BLOCKS_ENC maintain both %r11 and
> > %r12 as the AAD length.  %r11 is used for real earlier, but here %r12 is used
> > for real while %r11 is a temporary register.  Can this be simplified to have the
> > AAD length in %r11 only?
> > 
> 
> We do need both registers, though we could certainly swap their usage to make
> r12 the temp register. The reason we need the second register is because we
> need to keep the original length to perform the pshufb at the end. But, of
> course, that will not be needed anymore if we avoid the pshufb by duplicating
> the _read_last_lt8 block or utilizing pslldq some other way.
> 

If READ_PARTIAL_BLOCK can clobber 'DLEN' that would simplify it even more (no
need for 'TMP1'), but what I am talking about here is how INITIAL_BLOCKS_DEC and
INITIAL_BLOCKS_ENC maintain two copies of the remaining length in lock-step in
r11 and r12:

_get_AAD_blocks\num_initial_blocks\operation:
        movdqu     (%r10), %xmm\i
        PSHUFB_XMM %xmm14, %xmm\i # byte-reflect the AAD data
        pxor       %xmm\i, \XMM2
        GHASH_MUL  \XMM2, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
        add        $16, %r10
        sub        $16, %r12
        sub        $16, %r11
        cmp        $16, %r11
        jge        _get_AAD_blocks\num_initial_blocks\operation

The code which you are replacing with READ_PARTIAL_BLOCK actually needed the two
copies, but now it seems that only one copy is needed, so it can be simplified
by only using r11.

Eric

next prev parent reply	other threads:[~2017-12-20 21:12 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-19 22:17 [PATCH] crypto: Fix out-of-bounds memory access in generic-gcm-aesni Junaid Shahid
2017-12-20  4:42 ` [PATCH v2 0/2] Fix out-of-bounds memory accesses " Junaid Shahid
2017-12-20  4:42 ` [PATCH v2 1/2] crypto: Fix out-of-bounds access of the data buffer " Junaid Shahid
2017-12-20  8:36   ` Eric Biggers
2017-12-20 19:28     ` Junaid Shahid
2017-12-20 21:05       ` Eric Biggers
2017-12-20  4:42 ` [PATCH v2 2/2] crypto: Fix out-of-bounds access of the AAD " Junaid Shahid
2017-12-20  8:42   ` Eric Biggers
2017-12-20 19:35     ` Junaid Shahid
2017-12-20 21:12       ` Eric Biggers [this message]
2017-12-20 21:51         ` Junaid Shahid

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171220211254.GB38504@gmail.com \
    --to=ebiggers3@gmail.com \
    --cc=andreslc@google.com \
    --cc=davem@davemloft.net \
    --cc=gthelen@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=junaids@google.com \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.