From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [BUG] rsa: crash in br_i32_decode() called from rsa_gen_key_prop()
Date: Tue, 8 Sep 2020 09:21:59 +0900 [thread overview]
Message-ID: <20200908002159.GA1814894@laputa> (raw)
In-Reply-To: <61085ee5-a5ef-2164-ef56-6ab2d7d8da64@gmx.de>
On Mon, Sep 07, 2020 at 05:58:14PM +0200, Heinrich Schuchardt wrote:
> Hello Takahiro,
>
> on the 32bit Wandboard (with i.mx6 CPU) running the lib_asn1_pkcs7 unit
> test results in a crash due to an unaligned access occurring when
> br_i32_decode() is called by rsa_gen_key_prop().
Some guy has sent me a similar bug report about unaligned access
in rsa-keyprop.c.
I will ask him to post a patch as he seems to have fixed it.
-Takahiro Akashi
> Please, check the alignment assumptions for src when calling
> br_i32_decode(). If src is only 1 byte aligned, you should neither call
> be32_to_cpup() nor be16_to_cpup() which assume 32bit and 16bit alignment.
>
>
> ----Running lib tests----
> Running 14 lib tests
> Test: lib_asn1_pkcs7
> data abort
> pc : [<8efb3a8e>] lr : [<8efb3bbd>]
> reloc pc : [<17845a8e>] lr : [<17845bbd>]
> sp : 8e561330 ip : 00000001 fp : 8efd9d66
> r10: 8e58f040 r9 : 8e56dec0 r8 : 8e588748
> r7 : 00000001 r6 : 8e58f350 r5 : 8e58f350 r4 : 8e58f350
> r3 : 000000fc r2 : 00000100 r1 : 8e58ee49 r0 : 8e58f350
> Flags: nzCv IRQs off FIQs off Mode SVC_32 (T)
> Code: ea43 4302 e7a2 3b04 (58c8) ba00
> Resetting CPU ...
>
> resetting ...
>
>
>
> br_i32_decode():
>
> return be16_to_cpup(src);
> 17845a84: b29b uxth r3, r3
> w = ((uint32_t)buf[0] << 16)
> 17845a86: ea43 4302 orr.w r3, r3, r2, lsl #16
> 17845a8a: e7a2 b.n 178459d2 <br_i32_decode+0x24>
> u -= 4;
> 17845a8c: 3b04 subs r3, #4
> return __arch__swab32p(x);
> 17845a8e: 58c8 ldr r0, [r1, r3] <<<<<<<<<<<<<<
> 17845a90: ba00 rev r0, r0
> x[v ++] = br_dec32be(buf + u);
> 17845a92: f845 0f04 str.w r0, [r5, #4]!
> if (u < 4) {
> 17845a96: e78f b.n 178459b8 <br_i32_decode+0xa>
> return y ^ (-ctl & (x ^ y));
>
>
> rsa_gen_key_prop():
>
> /* n0 inverse */
> br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> 17845bac: 9910 ldr r1, [sp, #64] ; 0x40
> (*prop)->exp_len = sizeof(uint64_t);
> 17845bae: 615a str r2, [r3, #20]
> br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> 17845bb0: 9a18 ldr r2, [sp, #96] ; 0x60
> 17845bb2: 4439 add r1, r7
> 17845bb4: 1bd2 subs r2, r2, r7
> 17845bb6: 4630 mov r0, r6
> 17845bb8: f7ff fef9 bl 178459ae <br_i32_decode> <<<<<<
> (*prop)->n0inv = br_i32_ninv32(n[1]);
> 17845bbc: 6873 ldr r3, [r6, #4]
> 17845bbe: 682a ldr r2, [r5, #0]
> y = 2 - x;
> 17845bc0: f1c3 0102 rsb r1, r3, #2
>
>
>
> Best regards
>
> Heinrich
prev parent reply other threads:[~2020-09-08 0:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-07 15:58 [BUG] rsa: crash in br_i32_decode() called from rsa_gen_key_prop() Heinrich Schuchardt
2020-09-08 0:21 ` AKASHI Takahiro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200908002159.GA1814894@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.