From: Eric Biggers <ebiggers@kernel.org>
To: Christophe Leroy <christophe.leroy@c-s.fr>
Cc: linux-crypto@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Peter Robinson <pbrobinson@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] crypto: ghash - fix unaligned memory access in ghash_setkey()
Date: Mon, 3 Jun 2019 10:31:32 -0700 [thread overview]
Message-ID: <20190603173131.GA240519@gmail.com> (raw)
In-Reply-To: <0f7e6d3d-aa27-30c3-5c82-67d484bf667c@c-s.fr>
On Mon, Jun 03, 2019 at 09:27:24AM +0200, Christophe Leroy wrote:
>
>
> Le 30/05/2019 à 19:50, Eric Biggers a écrit :
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Changing ghash_mod_init() to be subsys_initcall made it start running
> > before the alignment fault handler has been installed on ARM. In kernel
> > builds where the keys in the ghash test vectors happened to be
> > misaligned in the kernel image, this exposed the longstanding bug that
> > ghash_setkey() is incorrectly casting the key buffer (which can have any
> > alignment) to be128 for passing to gf128mul_init_4k_lle().
> >
> > Fix this by memcpy()ing the key to a temporary buffer.
>
> Shouldn't we make it dependent on CONFIG_HAVE_64BIT_ALIGNED_ACCESS
No, because the buffer can have as little as 1-byte alignment.
> or !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS ?
I don't think that's a good idea because two code paths are harder to test than
one, and also CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS only means that the CPU
allows "regular" loads and stores to be misaligned. On some architectures the
compiler can still generate load and store instructions that require alignment,
e.g. 'ldrd' or 'ldm' on ARM.
We could change gf128mul_init_4k_lle() to take a byte array and make it use
get_unaligned_be64(). But since it has to allocate and initialize a 4 KiB
multiplication table anyway, that microoptimization would be lost in the noise.
- Eric
next prev parent reply other threads:[~2019-06-03 17:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 17:50 [PATCH] crypto: ghash - fix unaligned memory access in ghash_setkey() Eric Biggers
2019-05-31 9:42 ` Peter Robinson
2019-06-03 7:27 ` Christophe Leroy
2019-06-03 17:31 ` Eric Biggers [this message]
2019-06-06 6:53 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190603173131.GA240519@gmail.com \
--to=ebiggers@kernel.org \
--cc=christophe.leroy@c-s.fr \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=pbrobinson@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).