[PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update

Linux cryptographic layer development
 help / color / mirror / Atom feed

* [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
@ 2020-10-26 23:00 Ard Biesheuvel
  2020-10-26 23:03 ` Eric Biggers
  2020-11-06  7:01 ` Herbert Xu
  0 siblings, 2 replies; 6+ messages in thread
From: Ard Biesheuvel @ 2020-10-26 23:00 UTC (permalink / raw)
  To: linux-crypto; +Cc: herbert, ebiggers, Ard Biesheuvel

PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 NEON code got this wrong, resulting in crashes on PAC
capable hardware.

Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm64/crypto/poly1305-armv8.pl       | 2 +-
 arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/crypto/poly1305-armv8.pl b/arch/arm64/crypto/poly1305-armv8.pl
index 6e5576d19af8..cbc980fb02e3 100644
--- a/arch/arm64/crypto/poly1305-armv8.pl
+++ b/arch/arm64/crypto/poly1305-armv8.pl
@@ -840,7 +840,6 @@ poly1305_blocks_neon:
 	 ldp	d14,d15,[sp,#64]
 	addp	$ACC2,$ACC2,$ACC2
 	 ldr	x30,[sp,#8]
-	 .inst	0xd50323bf		// autiasp
 
 	////////////////////////////////////////////////////////////////
 	// lazy reduction, but without narrowing
@@ -882,6 +881,7 @@ poly1305_blocks_neon:
 	str	x4,[$ctx,#8]		// set is_base2_26
 
 	ldr	x29,[sp],#80
+	 .inst	0xd50323bf		// autiasp
 	ret
 .size	poly1305_blocks_neon,.-poly1305_blocks_neon
 
diff --git a/arch/arm64/crypto/poly1305-core.S_shipped b/arch/arm64/crypto/poly1305-core.S_shipped
index 8d1c4e420ccd..fb2822abf63a 100644
--- a/arch/arm64/crypto/poly1305-core.S_shipped
+++ b/arch/arm64/crypto/poly1305-core.S_shipped
@@ -779,7 +779,6 @@ poly1305_blocks_neon:
 	 ldp	d14,d15,[sp,#64]
 	addp	v21.2d,v21.2d,v21.2d
 	 ldr	x30,[sp,#8]
-	 .inst	0xd50323bf		// autiasp
 
 	////////////////////////////////////////////////////////////////
 	// lazy reduction, but without narrowing
@@ -821,6 +820,7 @@ poly1305_blocks_neon:
 	str	x4,[x0,#8]		// set is_base2_26
 
 	ldr	x29,[sp],#80
+	 .inst	0xd50323bf		// autiasp
 	ret
 .size	poly1305_blocks_neon,.-poly1305_blocks_neon
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
  2020-10-26 23:00 [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update Ard Biesheuvel
@ 2020-10-26 23:03 ` Eric Biggers
  2020-10-26 23:04   ` Ard Biesheuvel
  2020-11-06  7:01 ` Herbert Xu
  1 sibling, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2020-10-26 23:03 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: linux-crypto, herbert

On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> PAC pointer authentication signs the return address against the value
> of the stack pointer, to prevent stack overrun exploits from corrupting
> the control flow. However, this requires that the AUTIASP is issued with
> SP holding the same value as it held when the PAC value was generated.
> The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> capable hardware.
> 
> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/arm64/crypto/poly1305-armv8.pl       | 2 +-
>  arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

This needs to be fixed at https://github.com/dot-asm/cryptogams too, I assume?

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
  2020-10-26 23:03 ` Eric Biggers
@ 2020-10-26 23:04   ` Ard Biesheuvel
  2020-10-26 23:06     ` Ard Biesheuvel
  0 siblings, 1 reply; 6+ messages in thread
From: Ard Biesheuvel @ 2020-10-26 23:04 UTC (permalink / raw)
  To: Eric Biggers; +Cc: Linux Crypto Mailing List, Herbert Xu

On Tue, 27 Oct 2020 at 00:03, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> > PAC pointer authentication signs the return address against the value
> > of the stack pointer, to prevent stack overrun exploits from corrupting
> > the control flow. However, this requires that the AUTIASP is issued with
> > SP holding the same value as it held when the PAC value was generated.
> > The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> > capable hardware.
> >
> > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > ---
> >  arch/arm64/crypto/poly1305-armv8.pl       | 2 +-
> >  arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
>
> This needs to be fixed at https://github.com/dot-asm/cryptogams too, I assume?
>

Yes, and in OpenSSL.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
  2020-10-26 23:04   ` Ard Biesheuvel
@ 2020-10-26 23:06     ` Ard Biesheuvel
  2020-10-29 13:27       ` Andy Polyakov
  0 siblings, 1 reply; 6+ messages in thread
From: Ard Biesheuvel @ 2020-10-26 23:06 UTC (permalink / raw)
  To: Eric Biggers, Andy Polyakov; +Cc: Linux Crypto Mailing List, Herbert Xu

(+ Andy)

On Tue, 27 Oct 2020 at 00:04, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Tue, 27 Oct 2020 at 00:03, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> > > PAC pointer authentication signs the return address against the value
> > > of the stack pointer, to prevent stack overrun exploits from corrupting
> > > the control flow. However, this requires that the AUTIASP is issued with
> > > SP holding the same value as it held when the PAC value was generated.
> > > The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> > > capable hardware.
> > >
> > > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> > > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > > ---
> > >  arch/arm64/crypto/poly1305-armv8.pl       | 2 +-
> > >  arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > This needs to be fixed at https://github.com/dot-asm/cryptogams too, I assume?
> >
>
> Yes, and in OpenSSL.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
  2020-10-26 23:06     ` Ard Biesheuvel
@ 2020-10-29 13:27       ` Andy Polyakov
  0 siblings, 0 replies; 6+ messages in thread
From: Andy Polyakov @ 2020-10-29 13:27 UTC (permalink / raw)
  To: Ard Biesheuvel, Eric Biggers; +Cc: Linux Crypto Mailing List, Herbert Xu

> (+ Andy)

Thanks! Applied to cryptogams, pinged openssl. Cheers.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update
  2020-10-26 23:00 [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update Ard Biesheuvel
  2020-10-26 23:03 ` Eric Biggers
@ 2020-11-06  7:01 ` Herbert Xu
  1 sibling, 0 replies; 6+ messages in thread
From: Herbert Xu @ 2020-11-06  7:01 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: linux-crypto, ebiggers

On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> PAC pointer authentication signs the return address against the value
> of the stack pointer, to prevent stack overrun exploits from corrupting
> the control flow. However, this requires that the AUTIASP is issued with
> SP holding the same value as it held when the PAC value was generated.
> The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> capable hardware.
> 
> Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/arm64/crypto/poly1305-armv8.pl       | 2 +-
>  arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-11-06  7:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-26 23:00 [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update Ard Biesheuvel
2020-10-26 23:03 ` Eric Biggers
2020-10-26 23:04   ` Ard Biesheuvel
2020-10-26 23:06     ` Ard Biesheuvel
2020-10-29 13:27       ` Andy Polyakov
2020-11-06  7:01 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox