From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: Lukas Wunner <lukas@wunner.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Stefan Berger <stefanb@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Vitaly Chikunov <vt@altlinux.org>,
Tadeusz Struk <tstruk@gigaio.com>,
Andrew Zaborowski <andrew.zaborowski@intel.com>,
"Saulo Alessandre" <saulo.alessandre@tse.jus.br>,
<linux-crypto@vger.kernel.org>, <keyrings@vger.kernel.org>
Subject: Re: [PATCH 3/5] crypto: ecdsa - Avoid signed integer overflow on signature decoding
Date: Thu, 1 Aug 2024 17:12:06 +0100 [thread overview]
Message-ID: <20240801171206.00006d93@Huawei.com> (raw)
In-Reply-To: <919ce5664ab3883f1bc15aadfc6b6a2d9b30ecbd.1722260176.git.lukas@wunner.de>
On Mon, 29 Jul 2024 15:49:00 +0200
Lukas Wunner <lukas@wunner.de> wrote:
> When extracting a signature component r or s from an ASN.1-encoded
> integer, ecdsa_get_signature_rs() subtracts the expected length
> "bufsize" from the ASN.1 length "vlen" (both of unsigned type size_t)
> and stores the result in "diff" (of signed type ssize_t).
>
> This results in a signed integer overflow if vlen > SSIZE_MAX + bufsize.
>
> The kernel is compiled with -fno-strict-overflow, which implies -fwrapv,
> meaning signed integer overflow is not undefined behavior. And the
> function does check for overflow:
>
> if (-diff >= bufsize)
> return -EINVAL;
>
> So the code is fine in principle but not very obvious. In the future it
> might trigger a false-positive with CONFIG_UBSAN_SIGNED_WRAP=y.
>
> Avoid by comparing the two unsigned variables directly and erroring out
> if "vlen" is too large.
>
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
Change looks fine to me.
Random musing inline.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
> crypto/ecdsa.c | 17 ++++-------------
> 1 file changed, 4 insertions(+), 13 deletions(-)
>
> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> index f63731fb7535..03f608132242 100644
> --- a/crypto/ecdsa.c
> +++ b/crypto/ecdsa.c
> @@ -35,29 +35,20 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
> const void *value, size_t vlen, unsigned int ndigits)
> {
> size_t bufsize = ndigits * sizeof(u64);
> - ssize_t diff = vlen - bufsize;
> const char *d = value;
>
> - if (!value || !vlen)
> + if (!value || !vlen || vlen > bufsize + 1)
Given vlen and bufsize unsigned. Even in the weird case of bufsize + 1 == 0
vlen cannot be zero. So could drop the second condition? (or am I
missing something?) Maybe it's easier to reason that vlen == 0 is invalid though.
> return -EINVAL;
>
> - /* diff = 0: 'value' has exacly the right size
> - * diff > 0: 'value' has too many bytes; one leading zero is allowed that
> - * makes the value a positive integer; error on more
> - * diff < 0: 'value' is missing leading zeros
> - */
> - if (diff > 0) {
> + if (vlen > bufsize) {
> /* skip over leading zeros that make 'value' a positive int */
> if (*d == 0) {
> vlen -= 1;
> - diff--;
> d++;
> - }
> - if (diff)
> + } else {
> return -EINVAL;
> + }
> }
> - if (-diff >= bufsize)
> - return -EINVAL;
>
> ecc_digits_from_bytes(d, vlen, dest, ndigits);
>
next prev parent reply other threads:[~2024-08-01 16:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-29 13:46 [PATCH 0/5] Templatize ecdsa signature decoding Lukas Wunner
2024-07-29 13:47 ` [PATCH 1/5] ASN.1: Add missing include <linux/types.h> Lukas Wunner
2024-07-30 13:50 ` Stefan Berger
2024-08-01 14:42 ` Jonathan Cameron
2024-07-29 13:48 ` [PATCH 2/5] crypto: akcipher - Drop usage of sglists for verify op Lukas Wunner
2024-08-01 16:02 ` Jonathan Cameron
2024-08-02 21:40 ` Lukas Wunner
2024-08-06 5:55 ` Herbert Xu
2024-08-06 8:32 ` Lukas Wunner
2024-08-06 8:58 ` Herbert Xu
2024-08-22 12:25 ` Lukas Wunner
2024-09-06 6:59 ` Herbert Xu
2024-07-29 13:49 ` [PATCH 3/5] crypto: ecdsa - Avoid signed integer overflow on signature decoding Lukas Wunner
2024-07-30 13:50 ` Stefan Berger
2024-08-01 16:12 ` Jonathan Cameron [this message]
2024-07-29 13:50 ` [PATCH 4/5] crypto: ecdsa - Move X9.62 signature decoding into template Lukas Wunner
2024-08-01 16:58 ` Jonathan Cameron
2024-08-03 10:13 ` Lukas Wunner
2024-07-29 13:51 ` [PATCH 5/5] crypto: ecdsa - Support P1363 signature decoding Lukas Wunner
2024-08-01 17:06 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801171206.00006d93@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=andrew.zaborowski@intel.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=saulo.alessandre@tse.jus.br \
--cc=stefanb@linux.ibm.com \
--cc=tstruk@gigaio.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.