Re: [bug] crypto/vmx/p8_ghash memory corruption in 4.8-rc7

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Marcelo Cerri <marcelo.cerri@canonical.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Jan Stancek <jstancek@redhat.com>,
	rui y wang <rui.y.wang@intel.com>,
	mhcerri@linux.vnet.ibm.com, leosilva@linux.vnet.ibm.com,
	pfsmorigo@linux.vnet.ibm.com, linux-crypto@vger.kernel.org,
	linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org
Subject: Re: [bug] crypto/vmx/p8_ghash memory corruption in 4.8-rc7
Date: Wed, 28 Sep 2016 09:28:44 -0300	[thread overview]
Message-ID: <20160928122844.GC15729@gallifrey> (raw)
In-Reply-To: <20160928024549.GB14034@gondor.apana.org.au>

[-- Attachment #1: Type: text/plain, Size: 1931 bytes --]

Hi Herbert,

On Wed, Sep 28, 2016 at 10:45:49AM +0800, Herbert Xu wrote:
> On Tue, Sep 27, 2016 at 04:46:44PM -0300, Marcelo Cerri wrote:
> >
> > Can you check if the problem occurs with this patch?
>
> In light of the fact that padlock-sha is the correct example
> to follow, you only need to add one line to the init_tfm fucntion
> to update the descsize based on that of the fallback.
>

Not sure if I'm missing something here but p8_ghash already does that:

 56 static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
 57 {
 ...
 83         shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx)
 84             + crypto_shash_descsize(fallback);
 85
 86         return 0;
 87 }

I think the problem here is that crypto_ahash_statesize uses the
statesize value (that is initialized with the descsize value from
shash_alg) instead of using the value from the tfm that was updated.

For padlock_sha1, it uses the value from alg->statesize since it defines
import and export functions. It doesn't make much difference if it uses
the value from descsize or statesize here, what really matter is that
it uses the value defined in struct shash_alg and not from the tfm.

The big difference between p8_ghash and padlock_sha1 is that
padlock_sha1 defines alg->statesize as sizeof(struct sha1_state), which
is the descsize value used by sha1_generic. This probably works but
it's also wrong because the padlock_sha1 driver does not ensures that
sha1_generic is always used.

So, one solution is to hardcode ghash-generic as the fallback algorithm
and update the descsize direct in its shash_alg structure. There's only
one problem with that. ghash-generic desc type (struct ghash_desc_ctx)
is not available for vmx_crypto at compile type, the type is defined
directly in crypto/ghash-generic.c. That's the reason I added a function
to get the fallback desc size at runtime in the patch I wrote as a prove
of concept.

--
Regards,
Marcelo

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

next prev parent reply	other threads:[~2016-09-28 12:28 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <450861381.1559123.1474673197124.JavaMail.zimbra@redhat.com>
2016-09-24  0:22 ` [bug] crypto/vmx/p8_ghash memory corruption in 4.8-rc7 Jan Stancek
2016-09-26 14:15   ` Marcelo Cerri
2016-09-26 17:50     ` Jan Stancek
2016-09-26 14:59   ` Herbert Xu
2016-09-26 17:43     ` Marcelo Cerri
2016-09-27  3:08       ` Herbert Xu
2016-09-27  9:01         ` Jan Stancek
2016-09-27 12:04           ` Marcelo Cerri
2016-09-27 19:46             ` Marcelo Cerri
2016-09-28  2:45               ` Herbert Xu
2016-09-28  7:40                 ` Jan Stancek
2016-09-28 12:29                   ` Herbert Xu
2016-09-28 12:38                     ` Marcelo Cerri
2016-09-28 12:44                       ` Herbert Xu
2016-09-28 12:55                         ` Marcelo Cerri
2016-09-28 13:09                           ` Herbert Xu
2016-09-28 12:28                 ` Marcelo Cerri [this message]
2016-09-28 12:33                   ` Herbert Xu
2016-09-28 13:22                     ` Paulo Flabiano Smorigo
2016-09-28  8:59               ` Jan Stancek
2016-09-28  2:44           ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160928122844.GC15729@gallifrey \
    --to=marcelo.cerri@canonical.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jstancek@redhat.com \
    --cc=leosilva@linux.vnet.ibm.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=mhcerri@linux.vnet.ibm.com \
    --cc=pfsmorigo@linux.vnet.ibm.com \
    --cc=rui.y.wang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).