From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Tue, 9 Jun 2020 18:22:35 +0900
Subject: [BUG] ut lib lib_rsa_verify_valid crashes on qemu_arm if
 RSA_VERIFY_WITH_PKEY=y
In-Reply-To: <00F26104-AE59-47A9-BF55-70DA79D9A738@gmx.de>
References: <d481c877-9a4c-9cea-2abc-5e226c3a31e5@gmx.de>
 <20200609014214.GA19948@laputa>
 <00F26104-AE59-47A9-BF55-70DA79D9A738@gmx.de>
Message-ID: <20200609092235.GA5322@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Heinrich,

On Tue, Jun 09, 2020 at 03:54:44AM +0000, Heinrich Schuchardt wrote:
> Am June 9, 2020 1:42:14 AM UTC schrieb AKASHI Takahiro <takahiro.akashi@linaro.org>:
> >Heinrich,
> >
> >On Mon, Jun 08, 2020 at 11:08:53PM +0200, Heinrich Schuchardt wrote:
> >> Hello Takahiro,
> >> 
> >> when trying to execute command
> >> 
> >> ut lib lib_rsa_verify_valid
> >> 
> >> on qemu_arm_defconfig with CONFIG_UNIT_TEST=y and
> >> CONFIG_RSA_VERIFY_WITH_PKEY=y it crashes in
> >> 
> >> free((void *)prop->modulus) called from
> >> rsa_free_key_prop() called from
> >> rsa_verify_key() called from
> >> rsa_verify_with_pkey().
> >> 
> >> Without CONFIG_RSA_VERIFY_WITH_PKEY=y the problem does not occur.
> >> On qemu_arm64_defconfig the problem does not occur.
> >
> >I can't reproduce your problem on v2020.07-rc4 exactly with
> >qemu_arm64_defconfig + PKEY=y:
> >
> >U-Boot 2020.07-rc4-dirty (Jun 09 2020 - 10:33:30 +0900)
> >
> >...
> >
> >=> ut lib
> >Running 11 lib tests
> >Test: lib_asn1_pkcs7
> >Test: lib_asn1_pkey
> >Test: lib_asn1_x509
> >Test: lib_memcpy
> >Test: lib_memmove
> >Test: lib_memset
> >Test: lib_rsa_verify_invalid
> >Test: lib_rsa_verify_valid
> >Test: lib_test_bin2hex
> >Test: lib_test_hex2bin
> >Test: lib_test_hex_to_bin
> >Failures: 0
> >
> >
> >-Takahiro Akashi
> 
> As said I only see the problem with 32 bit qemu_arm_defconfig.

Okay. I think that the size of rrtmp variable is not good enough
and when it is handed over to br_i32_decode(), it accidentally
destroys (*prop)->modulus.

Heiko's patch:
  https://lists.denx.de/pipermail/u-boot/2020-May/413101.html
will also fix this issue, but I'm not yet confident that
the solution here, doubling max_rsa_size, is a right approach.

-Takahiro Akashi


> Best regards
> 
> Heinrich
> 
> 
> >
> >> Could you, please, have a look.
> >> 
> >> Best regards
> >> 
> >> Heinrich
>