From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 243E8C433FF for ; Fri, 2 Aug 2019 10:05:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F2F0B2067D for ; Fri, 2 Aug 2019 10:05:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564740326; bh=HMENl/L5+knTn/Fjjyg+GxPo4hsqznlJ+G8e9eT390w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ZDmNRwWGzA11yln6TJnzcTgD+TYTAvAbsFV6quOed1LHRNx6wkGtabJ2LweSl0eNB 1yoKYZmCwcjd3PBTSv1R7sgDdgFCMYGXwRUMBDsr+SpiRH8TAxDWK2hUXnX9sUMhMt z86i7IfQWNj7+dwYTLd03UlUT/CHttiiugCEjKhE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391259AbfHBJci (ORCPT ); Fri, 2 Aug 2019 05:32:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:59646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390069AbfHBJch (ORCPT ); Fri, 2 Aug 2019 05:32:37 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2F340217D6; Fri, 2 Aug 2019 09:32:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564738356; bh=HMENl/L5+knTn/Fjjyg+GxPo4hsqznlJ+G8e9eT390w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qcqFuMU/wmKweBFz+bMUjdmq0Z1/Ix1BgCBkouZuq8Kqxi+ANONk/hluJjSN/x2Cv yvz88RK31dBkGPOyX6h+zn7Httq74RZbqTdDpgKmbdAulmi7X86/A8+epVL8cnOiRx G4KH6M9BeIxwFcwAjb8DK15TbO5+2kpCckdIlsIs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Robinson , Eric Biggers , Herbert Xu Subject: [PATCH 4.4 055/158] crypto: ghash - fix unaligned memory access in ghash_setkey() Date: Fri, 2 Aug 2019 11:27:56 +0200 Message-Id: <20190802092215.230683299@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092203.671944552@linuxfoundation.org> References: <20190802092203.671944552@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by: Peter Robinson Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Peter Robinson Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/ghash-generic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/crypto/ghash-generic.c +++ b/crypto/ghash-generic.c @@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 k; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); @@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh if (ctx->gf128) gf128mul_free_4k(ctx->gf128); - ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); + + BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); + memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ + ctx->gf128 = gf128mul_init_4k_lle(&k); + memzero_explicit(&k, GHASH_BLOCK_SIZE); + if (!ctx->gf128) return -ENOMEM;