From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC750306754; Thu, 16 Jul 2026 14:13:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784211236; cv=none; b=EOD8r6iequzFdTCqERFRAv+/aGwt7owdJ6p8BjfFgqL2aZ3mF4AnlTC9pNW5nFPqjbjPzZRkpfCTI5gQM9wum1E18jwGMCahePT37W9xaoOZLzpTc+6MOLh8f/7ScDjdQoaEpjJ/oChiY6Xcne9OjrPesTY//pdDrWgDzBkx/MA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784211236; c=relaxed/simple; bh=7Cm9bR2HHXSCoC8+KB5GhMfpYe5tYu+6K3SaVtAoYGk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KnxTzzlXwhI8xQiLv2PSJS13BhABX9N5wsxiAWOdo3m64mHPcWeEBoQOquOERVkukwRy1t9XL7gD6D71+11ZQnL9LfQEN2ok1Ca3fJeoW18c9VkFiCmVRLBdsxmvnvr1zDS62oWSy4Frq3CucY3kLh3ENjZ2Mn4yfS2mbhR08/Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=uqLz8wkA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="uqLz8wkA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1DE8A1F000E9; Thu, 16 Jul 2026 14:13:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784211235; bh=ruIv3fqusrE3oJOrBfB9FIAMpPAMzamXa0af5mjhsIQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=uqLz8wkAxMWYwK/tCrs/TZY4eAX/JzM07hvZHnd7LaH3Vzn7RvxJh3cpADCiMAt0s 422gMWxW61UuBF4yeQhPekw+AJxQ4NegMOiKD1gR0nu1wwcrXhoMZMnfFUipVXKRW5 DFhXGNCGkbNk45Je3zZDdwTRNVbPJ7Msc+oUFtD4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Anastasia Tishchenko , Lukas Wunner , Herbert Xu Subject: [PATCH 6.18 351/480] crypto: ecc - Fix carry overflow in vli multiplication Date: Thu, 16 Jul 2026 15:31:38 +0200 Message-ID: <20260716133052.399092708@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133044.672218725@linuxfoundation.org> References: <20260716133044.672218725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Anastasia Tishchenko commit 27b536a2ec8e2f85a0380c2d13c9ecbc7aaab406 upstream. The carry flag calculation fails when r01.m_high is saturated (0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows. The condition (r01.m_high < product.m_high) doesn't handle the case where r01.m_high == product.m_high and an additional carry exists from lower-bit overflow. When commit 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") introduced crypto/ecc.c, it split the muladd() function in the micro-ecc library into separate mul_64_64() and add_128_128() helpers. It seems the check got lost in translation. Add proper handling for this boundary by accounting for the carry from the lower addition. Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") Signed-off-by: Anastasia Tishchenko Cc: stable@vger.kernel.org # v4.8+ Reviewed-by: Lukas Wunner Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ecc.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -402,14 +402,26 @@ static uint128_t mul_64_64(u64 left, u64 return result; } -static uint128_t add_128_128(uint128_t a, uint128_t b) +/* Calculate addition with overflow checking. Returns true on wrap-around, + * false otherwise. + */ +static bool check_add_128_128_overflow(uint128_t *result, uint128_t a, + uint128_t b) { - uint128_t result; + bool carry; - result.m_low = a.m_low + b.m_low; - result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low); + result->m_low = a.m_low + b.m_low; + carry = (result->m_low < a.m_low); - return result; + result->m_high = a.m_high + b.m_high + carry; + + /* Using constant-time bitwise arithmetic to prevent timing + * side-channels. + */ + carry = (result->m_high < a.m_high) | + ((result->m_high == a.m_high) & carry); + + return carry; } static void vli_mult(u64 *result, const u64 *left, const u64 *right, @@ -434,9 +446,7 @@ static void vli_mult(u64 *result, const uint128_t product; product = mul_64_64(left[i], right[k - i]); - - r01 = add_128_128(r01, product); - r2 += (r01.m_high < product.m_high); + r2 += check_add_128_128_overflow(&r01, r01, product); } result[k] = r01.m_low; @@ -459,7 +469,7 @@ static void vli_umult(u64 *result, const uint128_t product; product = mul_64_64(left[k], right); - r01 = add_128_128(r01, product); + check_add_128_128_overflow(&r01, r01, product); /* no carry */ result[k] = r01.m_low; r01.m_low = r01.m_high; @@ -496,8 +506,7 @@ static void vli_square(u64 *result, cons product.m_low <<= 1; } - r01 = add_128_128(r01, product); - r2 += (r01.m_high < product.m_high); + r2 += check_add_128_128_overflow(&r01, r01, product); } result[k] = r01.m_low;