From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [BUG] rsa: crash in br_i32_decode() called from rsa_gen_key_prop()
Date: Tue, 8 Sep 2020 09:21:59 +0900 [thread overview]
Message-ID: <20200908002159.GA1814894@laputa> (raw)
In-Reply-To: <61085ee5-a5ef-2164-ef56-6ab2d7d8da64@gmx.de>
On Mon, Sep 07, 2020 at 05:58:14PM +0200, Heinrich Schuchardt wrote:
> Hello Takahiro,
>
> on the 32bit Wandboard (with i.mx6 CPU) running the lib_asn1_pkcs7 unit
> test results in a crash due to an unaligned access occurring when
> br_i32_decode() is called by rsa_gen_key_prop().
Some guy has sent me a similar bug report about unaligned access
in rsa-keyprop.c.
I will ask him to post a patch as he seems to have fixed it.
-Takahiro Akashi
> Please, check the alignment assumptions for src when calling
> br_i32_decode(). If src is only 1 byte aligned, you should neither call
> be32_to_cpup() nor be16_to_cpup() which assume 32bit and 16bit alignment.
>
>
> ----Running lib tests----
> Running 14 lib tests
> Test: lib_asn1_pkcs7
> data abort
> pc : [<8efb3a8e>] lr : [<8efb3bbd>]
> reloc pc : [<17845a8e>] lr : [<17845bbd>]
> sp : 8e561330 ip : 00000001 fp : 8efd9d66
> r10: 8e58f040 r9 : 8e56dec0 r8 : 8e588748
> r7 : 00000001 r6 : 8e58f350 r5 : 8e58f350 r4 : 8e58f350
> r3 : 000000fc r2 : 00000100 r1 : 8e58ee49 r0 : 8e58f350
> Flags: nzCv IRQs off FIQs off Mode SVC_32 (T)
> Code: ea43 4302 e7a2 3b04 (58c8) ba00
> Resetting CPU ...
>
> resetting ...
>
>
>
> br_i32_decode():
>
> return be16_to_cpup(src);
> 17845a84: b29b uxth r3, r3
> w = ((uint32_t)buf[0] << 16)
> 17845a86: ea43 4302 orr.w r3, r3, r2, lsl #16
> 17845a8a: e7a2 b.n 178459d2 <br_i32_decode+0x24>
> u -= 4;
> 17845a8c: 3b04 subs r3, #4
> return __arch__swab32p(x);
> 17845a8e: 58c8 ldr r0, [r1, r3] <<<<<<<<<<<<<<
> 17845a90: ba00 rev r0, r0
> x[v ++] = br_dec32be(buf + u);
> 17845a92: f845 0f04 str.w r0, [r5, #4]!
> if (u < 4) {
> 17845a96: e78f b.n 178459b8 <br_i32_decode+0xa>
> return y ^ (-ctl & (x ^ y));
>
>
> rsa_gen_key_prop():
>
> /* n0 inverse */
> br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> 17845bac: 9910 ldr r1, [sp, #64] ; 0x40
> (*prop)->exp_len = sizeof(uint64_t);
> 17845bae: 615a str r2, [r3, #20]
> br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> 17845bb0: 9a18 ldr r2, [sp, #96] ; 0x60
> 17845bb2: 4439 add r1, r7
> 17845bb4: 1bd2 subs r2, r2, r7
> 17845bb6: 4630 mov r0, r6
> 17845bb8: f7ff fef9 bl 178459ae <br_i32_decode> <<<<<<
> (*prop)->n0inv = br_i32_ninv32(n[1]);
> 17845bbc: 6873 ldr r3, [r6, #4]
> 17845bbe: 682a ldr r2, [r5, #0]
> y = 2 - x;
> 17845bc0: f1c3 0102 rsb r1, r3, #2
>
>
>
> Best regards
>
> Heinrich
prev parent reply other threads:[~2020-09-08 0:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-07 15:58 [BUG] rsa: crash in br_i32_decode() called from rsa_gen_key_prop() Heinrich Schuchardt
2020-09-08 0:21 ` AKASHI Takahiro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200908002159.GA1814894@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox