From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f54.google.com (mail-lf1-f54.google.com [209.85.167.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53EE035F18B for ; Fri, 8 May 2026 11:49:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778240972; cv=none; b=gp9xoeMW6n5kmZRyY9/2P/rs+Mn53Wa2dSRuxgRdQPVihn7I1dzDXfazjHlYSIn+k+pW/ChAgimMYipTl8fkYkx0PpPpRY+ujKiZRsKCM/y6adpxZb30tu6OuXXtsc72I7MDwNQFH87hqymEd7qdJ3ohckyImeZcqAQKu1bw87U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778240972; c=relaxed/simple; bh=Z+dOeoUVh4GN7xXwfzT4PipGR2w1MslUMmBn4kUlQuQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=q1dAiTQMcaGXpxME7IYJolpw68zBXD2GJ/MJM9eIm7yePVXFQcvfx5hcgj4NkPGRxhvcHw1TGYGDh7IAUKHYxfm9jMQNdv0XzuqkIhD/P2GbKsDyMlzhbMYVn4aEwXt172w2x8hXn8Tp0eL6ZI0TXw/axBXMaWpYGfkqmX3T1sQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LYMVzKeC; arc=none smtp.client-ip=209.85.167.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LYMVzKeC" Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-59e5aa4ca41so1866415e87.2 for ; Fri, 08 May 2026 04:49:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778240969; x=1778845769; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wBVIuGPalW20UUvV7tEQr4ZoKlf0MwtNwF5pPYAVLWw=; b=LYMVzKeCtp0qdzrKtavtxK/E2AutnNAVM8yELSC8GyQTYF8KNVYDxsT6qaexs9qNOz b/lsJg9MQVYsf7juaoYmzCys7kjLWBBoEPGouAbFWTpxzD2pFmkOGzuPpZ86OdFTKSda CviXUPMtjmWp+UkrBJqqRxZ9IOGBOdgC6b5VdY1LYhqBf+dabi/agKWQeUFYNA1d+sAD iLXXPDUC5/+ahqDViyRq4kcT7H5ZQG+WDQz3EOYj8OfEOnM5PeQqHyqa3Tv610EnGFDf NMYjgqcNnsHzoxv2QPqHexp6o8UAInWVXJJjy9LLKfrJEEg8Pb7VTIUoQW2NSNcDFIXI 79gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778240969; x=1778845769; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wBVIuGPalW20UUvV7tEQr4ZoKlf0MwtNwF5pPYAVLWw=; b=NlRSL4YpbE63vqaAOwy3T7ciHUjefy9fNVv7/o38hK5kYn9d3G8a4QMToNCsYc5q+T b/TB6abSAJBKC9eMrDK2Sb7kdp7qz+VVZzlWqR/Tkt/IKDslJsTyH8LCqeP2DNpqTyOK QLiMeecs2IItrdhX04oP5TFPjNL8NKn25J/yvP//b3IuvEmiaS9+CDk5YgZ8pdb91Hft l7jltJuO3VKyYaNbgCawnSbzBF2/Xuhv8+KlkaCp1A5R7Sf4f/oDaPJe3QibRn8rOXVD SDD8foyf+AfRuOCr5ITY2NAhjo9zKo+cmpKVuJpds7h6rSzcPE0OW+TNYILgHV/ZmYFN 2C3Q== X-Forwarded-Encrypted: i=1; AFNElJ+zU/bIqvLMiYmjsfqyoTfyJlUqF+aWcn5d76evBjOYSe6NibuDRHUkDBx4UbgiAQk5N5EnnFSjiMFouUo=@vger.kernel.org X-Gm-Message-State: AOJu0YximpuOGzsODNcN85BEpBZTL234anlF8rxrjOJuslK3x/wf+pru g9XSturF+wLUJ41IJakTP+XFs065FfB/qZw1CuPJZChHu7YAfUE8VTES X-Gm-Gg: Acq92OGZtL9Q7yNCrmpmRk6JLhAHwSc6UXoyF0usGOAysE+KYnbcoczTDz7y7byJH1C a1VgJQ+zaZePHlki1SedP50fiY8+5rpFUVM9MuBBchUYuDftWBt9/qNnWkGNfAahYmReIKTxOA5 n9nCXcFU0p2YE4MLrWD+M0kD1MUhArzwAyQ7K0o5lpRIzDFGg6CYK/JzD+vYz5/H7ruuLLONh9+ WYUt6oq7Ekycxj4biHKkiT1tRM6jJ2AuEyj6WhyL/wtrC19C+5a6azz8zfpJtvVsgF718hzgzJk 7WxKHTKEG2G5n3V2TJXwIzF+SaDMEEdq1/83OH6AuU/PE5FQAUFmwWIu66iPkmMnZt9JzTtofFM DyN1y4pJC3Tw8o9q8Ba8BYpLXOu2SnEorsdEi6LE0Amd2UR7ERS1Oq3s+1RIHBI/gMhED4KwS9D NXaiu2b7AhwD/nirtVWIA040hkuU+mMzNvUj8p8Oqw0k6TVw== X-Received: by 2002:a05:6512:1304:b0:5a2:b3dd:7a74 with SMTP id 2adb3069b0e04-5a887ceafc7mr4536300e87.33.1778240969424; Fri, 08 May 2026 04:49:29 -0700 (PDT) Received: from svery.. (109-252-11-240.nat.spd-mgts.ru. [109.252.11.240]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a8a956bd58sm449992e87.84.2026.05.08.04.49.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 04:49:28 -0700 (PDT) From: Anastasia Tishchenko To: Lukas Wunner , Ignat Korchagin , Stefan Berger , Herbert Xu , "David S . Miller" Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Anastasia Tishchenko Subject: [PATCH] crypto : ecc - Fix carry overflow in vli multiplication Date: Fri, 8 May 2026 14:48:44 +0300 Message-ID: <20260508114844.29694-1-sv3iry@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The carry flag calculation fails when r01.m_high is saturated (0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows. The condition (r01.m_high < product.m_high) doesn't handle the case where r01.m_high == product.m_high and an additional carry exists from lower-bit overflow. Add proper handling for this boundary by accounting for the carry from the lower addition. This issue was discovered during formal verification of ECC functions. Signed-off-by: Anastasia Tishchenko --- crypto/ecc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 43b0def3a225..dfe96471407c 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -427,7 +427,10 @@ static void vli_mult(u64 *result, const u64 *left, const u64 *right, product = mul_64_64(left[i], right[k - i]); r01 = add_128_128(r01, product); - r2 += (r01.m_high < product.m_high); + if (r01.m_high != product.m_high) + r2 += (r01.m_high < product.m_high); + else + r2 += (r01.m_low < product.m_low); } result[k] = r01.m_low; @@ -488,7 +491,10 @@ static void vli_square(u64 *result, const u64 *left, unsigned int ndigits) } r01 = add_128_128(r01, product); - r2 += (r01.m_high < product.m_high); + if (r01.m_high != product.m_high) + r2 += (r01.m_high < product.m_high); + else + r2 += (r01.m_low < product.m_low); } result[k] = r01.m_low; -- 2.43.0