From: Anastasia Tishchenko <sv3iry@gmail.com>
To: Lukas Wunner <lukas@wunner.de>, Ignat Korchagin <ignat@linux.win>,
Stefan Berger <stefanb@linux.ibm.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Anastasia Tishchenko <sv3iry@gmail.com>
Subject: [PATCH] crypto : ecc - Fix carry overflow in vli multiplication
Date: Fri, 8 May 2026 14:48:44 +0300 [thread overview]
Message-ID: <20260508114844.29694-1-sv3iry@gmail.com> (raw)
The carry flag calculation fails when r01.m_high is saturated
(0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows.
The condition (r01.m_high < product.m_high) doesn't handle the case
where r01.m_high == product.m_high and an additional carry exists
from lower-bit overflow.
Add proper handling for this boundary by accounting for the carry
from the lower addition.
This issue was discovered during formal verification of ECC functions.
Signed-off-by: Anastasia Tishchenko <sv3iry@gmail.com>
---
crypto/ecc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/crypto/ecc.c b/crypto/ecc.c
index 43b0def3a225..dfe96471407c 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -427,7 +427,10 @@ static void vli_mult(u64 *result, const u64 *left, const u64 *right,
product = mul_64_64(left[i], right[k - i]);
r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ if (r01.m_high != product.m_high)
+ r2 += (r01.m_high < product.m_high);
+ else
+ r2 += (r01.m_low < product.m_low);
}
result[k] = r01.m_low;
@@ -488,7 +491,10 @@ static void vli_square(u64 *result, const u64 *left, unsigned int ndigits)
}
r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ if (r01.m_high != product.m_high)
+ r2 += (r01.m_high < product.m_high);
+ else
+ r2 += (r01.m_low < product.m_low);
}
result[k] = r01.m_low;
--
2.43.0
next reply other threads:[~2026-05-08 11:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 11:48 Anastasia Tishchenko [this message]
2026-05-08 14:36 ` [PATCH] crypto : ecc - Fix carry overflow in vli multiplication Stefan Berger
2026-05-11 5:30 ` Lukas Wunner
2026-05-12 13:48 ` Lukas Wunner
2026-05-12 15:27 ` David Laight
[not found] ` <CAMtNSrhkfsGL04DtOb9M9fijHK=Xy0D-pBahiCqV+zPuJyRSLw@mail.gmail.com>
2026-05-13 8:32 ` Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508114844.29694-1-sv3iry@gmail.com \
--to=sv3iry@gmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@linux.win \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox