From: Eric Biggers <ebiggers@kernel.org>
To: Lukas Wunner <lukas@wunner.de>
Cc: Jason Donenfeld <jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Yiming Qian <yimingqian591@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Ignat Korchagin <ignat@linux.win>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Tadeusz Struk <tstruk@gigaio.com>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl()
Date: Wed, 15 Apr 2026 11:00:58 -0700 [thread overview]
Message-ID: <20260415180058.GC3142@quark> (raw)
In-Reply-To: <ad68X6BveJXqynUk@wunner.de>
On Wed, Apr 15, 2026 at 12:14:55AM +0200, Lukas Wunner wrote:
> diff --git a/lib/crypto/mpi/mpicoder.c b/lib/crypto/mpi/mpicoder.c
> index 9359a58..011434d 100644
> --- a/lib/crypto/mpi/mpicoder.c
> +++ b/lib/crypto/mpi/mpicoder.c
> @@ -347,11 +347,9 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
> lzeros = 0;
> len = 0;
> while (nbytes > 0) {
> - while (len && !*buff && lzeros < nbytes) {
> - lzeros++;
> - len--;
> - buff++;
> - }
> + lzeros = count_leading_zerobytes(buff, min(len, nbytes));
> + len -= lzeros;
> + buff += lzeros;
Well, now you're passing an uninitialized pointer as a function
parameter. (The loop body still operates on data from the previous
iteration.) So no, that isn't a step forwards. This should be
rewritten as a conventional loop and be switched to the scatterwalk API.
But this is really just a symptom of the larger issue with the pointless
virtaddr => scatterlist => virtaddr conversion that is happening. And
lib/crypto/mpi/ is broken in other ways too, e.g. it's not constant-time
but is being used for RSA signing. And it has no tests.
This is on my TODO list to fix up at some point, but it's a big task.
Secure bignum implementations aren't easy; userspace projects have spent
a long time to get them right. So far I've instead been focusing on
symmetric crypto, which is what actually matters in the kernel. If
someone is using the broken kernel RSA signing UAPIs (which should never
have been added), they hopefully know what they're getting...
- Eric
next prev parent reply other threads:[~2026-04-15 18:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-12 14:19 [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl() Lukas Wunner
2026-04-12 17:15 ` Ignat Korchagin
2026-04-13 11:58 ` Lukas Wunner
2026-04-14 17:59 ` Eric Biggers
2026-04-14 22:14 ` Lukas Wunner
2026-04-15 18:00 ` Eric Biggers [this message]
2026-04-15 2:46 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415180058.GC3142@quark \
--to=ebiggers@kernel.org \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@linux.win \
--cc=jarkko@kernel.org \
--cc=jason@zx2c4.com \
--cc=linux-crypto@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=tstruk@gigaio.com \
--cc=yimingqian591@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox