crypto: s390/aes - Fix buffer overread in CTR mode

public inbox for linux-s390@vger.kernel.org
 help / color / mirror / Atom feed

* crypto: s390/aes - Fix buffer overread in CTR mode
@ 2023-11-28  6:22 Herbert Xu
  2023-11-28 11:18 ` Harald Freudenberger
  2023-11-28 13:18 ` Harald Freudenberger
  0 siblings, 2 replies; 4+ messages in thread
From: Herbert Xu @ 2023-11-28  6:22 UTC (permalink / raw)
  To: Linux Crypto Mailing List, Harald Freudenberger, linux-s390,
	Gerald Schaefer, Jan Glauber

When processing the last block, the s390 ctr code will always read
a whole block, even if there isn't a whole block of data left.  Fix
this by using the actual length left and copy it into a buffer first
for processing.

Fixes: 0200f3ecc196 ("crypto: s390 - add System z hardware support for CTR mode")
Cc: <stable@vger.kernel.org>
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
index c773820e4af9..c6fe5405de4a 100644
--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -597,7 +597,9 @@ static int ctr_aes_crypt(struct skcipher_request *req)
 	 * final block may be < AES_BLOCK_SIZE, copy only nbytes
 	 */
 	if (nbytes) {
-		cpacf_kmctr(sctx->fc, sctx->key, buf, walk.src.virt.addr,
+		memset(buf, 0, AES_BLOCK_SIZE);
+		memcpy(buf, walk.src.virt.addr, nbytes);
+		cpacf_kmctr(sctx->fc, sctx->key, buf, buf,
 			    AES_BLOCK_SIZE, walk.iv);
 		memcpy(walk.dst.virt.addr, buf, nbytes);
 		crypto_inc(walk.iv, AES_BLOCK_SIZE);
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: crypto: s390/aes - Fix buffer overread in CTR mode
  2023-11-28  6:22 crypto: s390/aes - Fix buffer overread in CTR mode Herbert Xu
@ 2023-11-28 11:18 ` Harald Freudenberger
  2023-11-28 13:18 ` Harald Freudenberger
  1 sibling, 0 replies; 4+ messages in thread
From: Harald Freudenberger @ 2023-11-28 11:18 UTC (permalink / raw)
  To: Herbert Xu
  Cc: Linux Crypto Mailing List, linux-s390, Gerald Schaefer,
	Jan Glauber, Holger Dengler

On 2023-11-28 07:22, Herbert Xu wrote:
> When processing the last block, the s390 ctr code will always read
> a whole block, even if there isn't a whole block of data left.  Fix
> this by using the actual length left and copy it into a buffer first
> for processing.
> 
> Fixes: 0200f3ecc196 ("crypto: s390 - add System z hardware support for
> CTR mode")
> Cc: <stable@vger.kernel.org>
> Reported-by: Guangwu Zhang <guazhang@redhat.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
> index c773820e4af9..c6fe5405de4a 100644
> --- a/arch/s390/crypto/aes_s390.c
> +++ b/arch/s390/crypto/aes_s390.c
> @@ -597,7 +597,9 @@ static int ctr_aes_crypt(struct skcipher_request 
> *req)
>  	 * final block may be < AES_BLOCK_SIZE, copy only nbytes
>  	 */
>  	if (nbytes) {
> -		cpacf_kmctr(sctx->fc, sctx->key, buf, walk.src.virt.addr,
> +		memset(buf, 0, AES_BLOCK_SIZE);
> +		memcpy(buf, walk.src.virt.addr, nbytes);
> +		cpacf_kmctr(sctx->fc, sctx->key, buf, buf,
>  			    AES_BLOCK_SIZE, walk.iv);
>  		memcpy(walk.dst.virt.addr, buf, nbytes);
>  		crypto_inc(walk.iv, AES_BLOCK_SIZE);

Reviewd-by: Harald Freudenberger <freude@de.ibm.com>

There is similar code in paes_s390.c. I'll send a patch for that.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: crypto: s390/aes - Fix buffer overread in CTR mode
  2023-11-28  6:22 crypto: s390/aes - Fix buffer overread in CTR mode Herbert Xu
  2023-11-28 11:18 ` Harald Freudenberger
@ 2023-11-28 13:18 ` Harald Freudenberger
  2023-12-08  4:06   ` Herbert Xu
  1 sibling, 1 reply; 4+ messages in thread
From: Harald Freudenberger @ 2023-11-28 13:18 UTC (permalink / raw)
  To: Herbert Xu
  Cc: Linux Crypto Mailing List, linux-s390, Gerald Schaefer,
	Jan Glauber

On 2023-11-28 07:22, Herbert Xu wrote:
> When processing the last block, the s390 ctr code will always read
> a whole block, even if there isn't a whole block of data left.  Fix
> this by using the actual length left and copy it into a buffer first
> for processing.
> 
> Fixes: 0200f3ecc196 ("crypto: s390 - add System z hardware support for
> CTR mode")
> Cc: <stable@vger.kernel.org>
> Reported-by: Guangwu Zhang <guazhang@redhat.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
> index c773820e4af9..c6fe5405de4a 100644
> --- a/arch/s390/crypto/aes_s390.c
> +++ b/arch/s390/crypto/aes_s390.c
> @@ -597,7 +597,9 @@ static int ctr_aes_crypt(struct skcipher_request 
> *req)
>  	 * final block may be < AES_BLOCK_SIZE, copy only nbytes
>  	 */
>  	if (nbytes) {
> -		cpacf_kmctr(sctx->fc, sctx->key, buf, walk.src.virt.addr,
> +		memset(buf, 0, AES_BLOCK_SIZE);
> +		memcpy(buf, walk.src.virt.addr, nbytes);
> +		cpacf_kmctr(sctx->fc, sctx->key, buf, buf,
>  			    AES_BLOCK_SIZE, walk.iv);
>  		memcpy(walk.dst.virt.addr, buf, nbytes);
>  		crypto_inc(walk.iv, AES_BLOCK_SIZE);

Here is a similar fix for the s390 paes ctr cipher. Compiles and is
tested. You may merge this with your patch for the s390 aes cipher.

--------------------------------------------------------------------------------

diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c
index 8b541e44151d..55ee5567a5ea 100644
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@@ -693,9 +693,11 @@ static int ctr_paes_crypt(struct skcipher_request 
*req)
          * final block may be < AES_BLOCK_SIZE, copy only nbytes
          */
         if (nbytes) {
+               memset(buf, 0, AES_BLOCK_SIZE);
+               memcpy(buf, walk.src.virt.addr, nbytes);
                 while (1) {
                         if (cpacf_kmctr(ctx->fc, &param, buf,
-                                       walk.src.virt.addr, 
AES_BLOCK_SIZE,
+                                       buf, AES_BLOCK_SIZE,
                                         walk.iv) == AES_BLOCK_SIZE)
                                 break;
                         if (__paes_convert_key(ctx))

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: crypto: s390/aes - Fix buffer overread in CTR mode
  2023-11-28 13:18 ` Harald Freudenberger
@ 2023-12-08  4:06   ` Herbert Xu
  0 siblings, 0 replies; 4+ messages in thread
From: Herbert Xu @ 2023-12-08  4:06 UTC (permalink / raw)
  To: Harald Freudenberger
  Cc: Linux Crypto Mailing List, linux-s390, Gerald Schaefer,
	Jan Glauber

On Tue, Nov 28, 2023 at 02:18:02PM +0100, Harald Freudenberger wrote:
>
> Here is a similar fix for the s390 paes ctr cipher. Compiles and is
> tested. You may merge this with your patch for the s390 aes cipher.

Thank you.  I had to apply this by hand so please check the result
which I've just pushed out to cryptodev.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-12-08  4:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-28  6:22 crypto: s390/aes - Fix buffer overread in CTR mode Herbert Xu
2023-11-28 11:18 ` Harald Freudenberger
2023-11-28 13:18 ` Harald Freudenberger
2023-12-08  4:06   ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox