From: "Heiko Stübner" <heiko@sntech.de>
To: u-boot@lists.denx.de
Subject: [BUG] ut lib lib_rsa_verify_valid crashes on qemu_arm if RSA_VERIFY_WITH_PKEY=y
Date: Tue, 09 Jun 2020 12:11:31 +0200 [thread overview]
Message-ID: <2399481.2eeKMpjr2i@diego> (raw)
In-Reply-To: <20200609092235.GA5322@laputa>
Hi Akashi,
Am Dienstag, 9. Juni 2020, 11:22:35 CEST schrieb AKASHI Takahiro:
> Heinrich,
>
> On Tue, Jun 09, 2020 at 03:54:44AM +0000, Heinrich Schuchardt wrote:
> > Am June 9, 2020 1:42:14 AM UTC schrieb AKASHI Takahiro <takahiro.akashi@linaro.org>:
> > >Heinrich,
> > >
> > >On Mon, Jun 08, 2020 at 11:08:53PM +0200, Heinrich Schuchardt wrote:
> > >> Hello Takahiro,
> > >>
> > >> when trying to execute command
> > >>
> > >> ut lib lib_rsa_verify_valid
> > >>
> > >> on qemu_arm_defconfig with CONFIG_UNIT_TEST=y and
> > >> CONFIG_RSA_VERIFY_WITH_PKEY=y it crashes in
> > >>
> > >> free((void *)prop->modulus) called from
> > >> rsa_free_key_prop() called from
> > >> rsa_verify_key() called from
> > >> rsa_verify_with_pkey().
> > >>
> > >> Without CONFIG_RSA_VERIFY_WITH_PKEY=y the problem does not occur.
> > >> On qemu_arm64_defconfig the problem does not occur.
> > >
> > >I can't reproduce your problem on v2020.07-rc4 exactly with
> > >qemu_arm64_defconfig + PKEY=y:
> > >
> > >U-Boot 2020.07-rc4-dirty (Jun 09 2020 - 10:33:30 +0900)
> > >
> > >...
> > >
> > >=> ut lib
> > >Running 11 lib tests
> > >Test: lib_asn1_pkcs7
> > >Test: lib_asn1_pkey
> > >Test: lib_asn1_x509
> > >Test: lib_memcpy
> > >Test: lib_memmove
> > >Test: lib_memset
> > >Test: lib_rsa_verify_invalid
> > >Test: lib_rsa_verify_valid
> > >Test: lib_test_bin2hex
> > >Test: lib_test_hex2bin
> > >Test: lib_test_hex_to_bin
> > >Failures: 0
> > >
> > >
> > >-Takahiro Akashi
> >
> > As said I only see the problem with 32 bit qemu_arm_defconfig.
>
> Okay. I think that the size of rrtmp variable is not good enough
> and when it is handed over to br_i32_decode(), it accidentally
> destroys (*prop)->modulus.
>
> Heiko's patch:
> https://lists.denx.de/pipermail/u-boot/2020-May/413101.html
> will also fix this issue, but I'm not yet confident that
> the solution here, doubling max_rsa_size, is a right approach.
The algorithm does write outside its memory area with a big enough key
and I have to confess I had a hard time understanding it ;-) .
So what would be needed to get more confidence?
Because for me it looks like either the algorithm does strange things
or the memory area is too small - I don't really see a third option ;-) .
Heiko
next prev parent reply other threads:[~2020-06-09 10:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 21:08 [BUG] ut lib lib_rsa_verify_valid crashes on qemu_arm if RSA_VERIFY_WITH_PKEY=y Heinrich Schuchardt
2020-06-09 1:42 ` AKASHI Takahiro
2020-06-09 3:54 ` Heinrich Schuchardt
2020-06-09 9:22 ` AKASHI Takahiro
2020-06-09 10:11 ` Heiko Stübner [this message]
2020-06-09 10:22 ` Heinrich Schuchardt
2020-06-09 10:45 ` Heiko Stübner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2399481.2eeKMpjr2i@diego \
--to=heiko@sntech.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.