* [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl()
@ 2026-04-12 14:19 Lukas Wunner
2026-04-12 17:15 ` Ignat Korchagin
2026-04-13 11:58 ` Lukas Wunner
0 siblings, 2 replies; 3+ messages in thread
From: Lukas Wunner @ 2026-04-12 14:19 UTC (permalink / raw)
To: Eric Biggers, Jason Donenfeld, Ard Biesheuvel, Yiming Qian,
Herbert Xu
Cc: Ignat Korchagin, David Howells, Jarkko Sakkinen, Tadeusz Struk,
linux-crypto
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.4+
---
lib/crypto/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto/mpi/mpicoder.c b/lib/crypto/mpi/mpicoder.c
index bf716a03c704..9359a58c29ec 100644
--- a/lib/crypto/mpi/mpicoder.c
+++ b/lib/crypto/mpi/mpicoder.c
@@ -347,7 +347,7 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
lzeros = 0;
len = 0;
while (nbytes > 0) {
- while (len && !*buff) {
+ while (len && !*buff && lzeros < nbytes) {
lzeros++;
len--;
buff++;
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl()
2026-04-12 14:19 [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl() Lukas Wunner
@ 2026-04-12 17:15 ` Ignat Korchagin
2026-04-13 11:58 ` Lukas Wunner
1 sibling, 0 replies; 3+ messages in thread
From: Ignat Korchagin @ 2026-04-12 17:15 UTC (permalink / raw)
To: Lukas Wunner
Cc: Eric Biggers, Jason Donenfeld, Ard Biesheuvel, Yiming Qian,
Herbert Xu, David Howells, Jarkko Sakkinen, Tadeusz Struk,
linux-crypto
On Sun, Apr 12, 2026 at 3:19 PM Lukas Wunner <lukas@wunner.de> wrote:
>
> Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
> subtracting "lzeros" from the unsigned "nbytes".
>
> For this to happen, the scatterlist "sgl" needs to occupy more bytes
> than the "nbytes" parameter and the first "nbytes + 1" bytes of the
> scatterlist must be zero. Under these conditions, the while loop
> iterating over the scatterlist will count more zeroes than "nbytes",
> subtract the number of zeroes from "nbytes" and cause the underflow.
>
> When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
> introduced the bug, it couldn't be triggered because all callers of
> mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
> "nbytes".
>
> However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
> interface without scatterlists"), the underflow can now actually be
> triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
> larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
> crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
> both the "src" and "dst" member of struct akcipher_request and thereby
> fulfil the conditions to trigger the bug:
>
> sys_keyctl()
> keyctl_pkey_e_d_s()
> asymmetric_key_eds_op()
> software_key_eds_op()
> crypto_akcipher_sync_encrypt()
> crypto_akcipher_sync_prep()
> crypto_akcipher_encrypt()
> rsa_enc()
> mpi_read_raw_from_sgl()
>
> To the user this will be visible as a DoS as the kernel spins forever,
> causing soft lockup splats as a side effect.
>
> Fix it.
>
> Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
> Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
> ---
> lib/crypto/mpi/mpicoder.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/crypto/mpi/mpicoder.c b/lib/crypto/mpi/mpicoder.c
> index bf716a03c704..9359a58c29ec 100644
> --- a/lib/crypto/mpi/mpicoder.c
> +++ b/lib/crypto/mpi/mpicoder.c
> @@ -347,7 +347,7 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
> lzeros = 0;
> len = 0;
> while (nbytes > 0) {
> - while (len && !*buff) {
> + while (len && !*buff && lzeros < nbytes) {
> lzeros++;
> len--;
> buff++;
> --
> 2.51.0
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl()
2026-04-12 14:19 [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl() Lukas Wunner
2026-04-12 17:15 ` Ignat Korchagin
@ 2026-04-13 11:58 ` Lukas Wunner
1 sibling, 0 replies; 3+ messages in thread
From: Lukas Wunner @ 2026-04-13 11:58 UTC (permalink / raw)
To: Eric Biggers, Jason Donenfeld, Ard Biesheuvel, Yiming Qian,
Herbert Xu
Cc: Ignat Korchagin, David Howells, Jarkko Sakkinen, Tadeusz Struk,
linux-crypto
On Sun, Apr 12, 2026 at 04:19:47PM +0200, Lukas Wunner wrote:
> Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
> subtracting "lzeros" from the unsigned "nbytes".
[...]
> +++ b/lib/crypto/mpi/mpicoder.c
> @@ -347,7 +347,7 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
> lzeros = 0;
> len = 0;
> while (nbytes > 0) {
> - while (len && !*buff) {
> + while (len && !*buff && lzeros < nbytes) {
> lzeros++;
> len--;
> buff++;
As a side note, in 2018, commit 8a2a0dd35f2e ("crypto: caam - strip
input zeros from RSA input buffer") copy-pasted a large portion of
mpi_read_raw_from_sgl() into caam_rsa_count_leading_zeros() and
duplicated the bug as well.
One year later, commit c3725f7ccc8c ("crypto: caam - fix
pkcs1pad(rsa-caam, sha256) failure because of invalid input")
fixed the bug in the duplicated function, but unfortunately not
in the original mpi_read_raw_from_sgl(). The fix was identical
to the one I'm proposing above.
Thanks,
Lukas
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-13 11:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-12 14:19 [PATCH] crypto: lib/mpi - Fix integer underflow in mpi_read_raw_from_sgl() Lukas Wunner
2026-04-12 17:15 ` Ignat Korchagin
2026-04-13 11:58 ` Lukas Wunner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox