From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] lib/crypto: sha1: Explicitly specify alignment of sha1_ctx::buf
Date: Fri, 20 Mar 2026 22:59:17 -0700 [thread overview]
Message-ID: <20260321055917.GA2346@sol> (raw)
In-Reply-To: <20260320231403.47323-1-ebiggers@kernel.org>
On Fri, Mar 20, 2026 at 04:14:03PM -0700, Eric Biggers wrote:
> __sha1_final() writes a __be64 to &ctx->buf[56] using a plain write.
> That assumes that the alignment of buf is at least that of __be64. It
> is, since it immediately follows a u64 field. However, to make this
> assumption explicit it's best to specify the field alignment explicitly
> too, like what is done in the corresponding SHA-2 and MD5 structs.
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> include/crypto/sha1.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h
> index 4d973e016cd6..560ed4fd1703 100644
> --- a/include/crypto/sha1.h
> +++ b/include/crypto/sha1.h
> @@ -38,11 +38,11 @@ struct sha1_block_state {
> * @buf: partial block buffer; bytecount % SHA1_BLOCK_SIZE bytes are valid
> */
> struct sha1_ctx {
> struct sha1_block_state state;
> u64 bytecount;
> - u8 buf[SHA1_BLOCK_SIZE];
> + u8 buf[SHA1_BLOCK_SIZE] __aligned(__alignof__(__be64));
> };
Surprisingly, this patch actually breaks the build on 32-bit x86. The
static assertions in crypto/sha1.c that verify the consistency of
'struct sha1_ctx' and 'struct sha1_state' start failing. gcc puts
bytecount and buf at offsets 20 and 28 in the struct. I.e., it puts the
u64 field on only a 4-byte boundary. However, __alignof__(__be64)
actually returns 8, causing the offset of buf to change from 28 to 32.
(The result is the same if __alignof__(u64) is used instead.)
Apparently __alignof__ returns the "preferred alignment". But what we
want is "minimum alignment". Which is C11's _Alignof, which was
deprecated in C23 and replaced with "alignof". Sigh.
Probably best to just keep this as-is until we can get drivers/crypto/
migrated off of 'struct sha1_state' and remove that.
- Eric
prev parent reply other threads:[~2026-03-21 6:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 23:14 [PATCH] lib/crypto: sha1: Explicitly specify alignment of sha1_ctx::buf Eric Biggers
2026-03-21 5:59 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260321055917.GA2346@sol \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.