public inbox for linux-crypto@vger.kernel.org
 help / color / mirror / Atom feed
From: Lukas Wunner <lukas@wunner.de>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Jason Donenfeld <jason@zx2c4.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Yiming Qian <yimingqian591@gmail.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Ignat Korchagin <ignat@linux.win>,
	David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Tadeusz Struk <tstruk@gigaio.com>,
	linux-crypto@vger.kernel.org
Subject: Re: [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl()
Date: Wed, 15 Apr 2026 00:14:55 +0200	[thread overview]
Message-ID: <ad68X6BveJXqynUk@wunner.de> (raw)
In-Reply-To: <20260414175903.GC24456@quark>

On Tue, Apr 14, 2026 at 10:59:03AM -0700, Eric Biggers wrote:
> On Sun, Apr 12, 2026 at 04:19:47PM +0200, Lukas Wunner wrote:
> > Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
> > subtracting "lzeros" from the unsigned "nbytes".
[...]
> 
> This code (which has no tests...) is unnecessarily hard to understand,
> though.  I haven't been able to fully understand the logic yet, but it
> looks like it still has bugs, including still reading past the given
> nbytes.  It should be possible to replace it with something simpler and
> less error-prone.

mpi_read_raw_from_sgl() skips over leading zero bytes in the scatterlist
and then over leading zero bits in the first non-zero byte, before it
starts copying data to the newly-allocated MPI.

One possible simplification is to use memchr_inv() to search for the
first non-zero byte, instead of open coding it.  See the patch below.
If you think it's a step in the right direction, I can submit the patch
in the next cycle.

-- >8 --

diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c
index cb001aa..72e7ac7 100644
--- a/drivers/crypto/caam/caampkc.c
+++ b/drivers/crypto/caam/caampkc.c
@@ -17,6 +17,7 @@
 #include "sg_sw_sec4.h"
 #include "caampkc.h"
 #include <crypto/internal/engine.h>
+#include <linux/count_zeros.h>
 #include <linux/dma-mapping.h>
 #include <linux/err.h>
 #include <linux/kernel.h>
@@ -219,12 +220,9 @@ static int caam_rsa_count_leading_zeros(struct scatterlist *sgl,
 	lzeros = 0;
 	len = 0;
 	while (nbytes > 0) {
-		/* do not strip more than given bytes */
-		while (len && !*buff && lzeros < nbytes) {
-			lzeros++;
-			len--;
-			buff++;
-		}
+		lzeros = count_leading_zerobytes(buff, min(len, nbytes));
+		len -= lzeros;
+		buff += lzeros;
 
 		if (len && *buff)
 			break;
diff --git a/include/linux/count_zeros.h b/include/linux/count_zeros.h
index 5b8ff5a..29d9d67 100644
--- a/include/linux/count_zeros.h
+++ b/include/linux/count_zeros.h
@@ -8,6 +8,7 @@
 #ifndef _LINUX_BITOPS_COUNT_ZEROS_H_
 #define _LINUX_BITOPS_COUNT_ZEROS_H_
 
+#include <linux/string.h>
 #include <asm/bitops.h>
 
 /**
@@ -50,4 +51,14 @@ static inline int count_trailing_zeros(unsigned long x)
 		return (x != 0) ? __ffs(x) : COUNT_TRAILING_ZEROS_0;
 }
 
+static inline size_t count_leading_zerobytes(const void *start, size_t len)
+{
+	void *first = memchr_inv(start, 0, len);
+
+	if (!first)
+		return len;
+
+	return first - start;
+}
+
 #endif /* _LINUX_BITOPS_COUNT_ZEROS_H_ */
diff --git a/lib/crypto/mpi/mpicoder.c b/lib/crypto/mpi/mpicoder.c
index 9359a58..011434d 100644
--- a/lib/crypto/mpi/mpicoder.c
+++ b/lib/crypto/mpi/mpicoder.c
@@ -347,11 +347,9 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
 	lzeros = 0;
 	len = 0;
 	while (nbytes > 0) {
-		while (len && !*buff && lzeros < nbytes) {
-			lzeros++;
-			len--;
-			buff++;
-		}
+		lzeros = count_leading_zerobytes(buff, min(len, nbytes));
+		len -= lzeros;
+		buff += lzeros;
 
 		if (len && *buff)
 			break;


  reply	other threads:[~2026-04-14 22:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-12 14:19 [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl() Lukas Wunner
2026-04-12 17:15 ` Ignat Korchagin
2026-04-13 11:58 ` Lukas Wunner
2026-04-14 17:59 ` Eric Biggers
2026-04-14 22:14   ` Lukas Wunner [this message]
2026-04-15 18:00     ` Eric Biggers
2026-04-15  2:46 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ad68X6BveJXqynUk@wunner.de \
    --to=lukas@wunner.de \
    --cc=ardb@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=ignat@linux.win \
    --cc=jarkko@kernel.org \
    --cc=jason@zx2c4.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=tstruk@gigaio.com \
    --cc=yimingqian591@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox