mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/crypto
History
Eric Biggers fbe5cff932 crypto: x86/poly1305 - fix overflow during partial reduction 
commit 678cce4019 upstream.

The x86_64 implementation of Poly1305 produces the wrong result on some
inputs because poly1305_4block_avx2() incorrectly assumes that when
partially reducing the accumulator, the bits carried from limb 'd4' to
limb 'h0' fit in a 32-bit integer.  This is true for poly1305-generic
which processes only one block at a time.  However, it's not true for
the AVX2 implementation, which processes 4 blocks at a time and
therefore can produce intermediate limbs about 4x larger.

Fix it by making the relevant calculations use 64-bit arithmetic rather
than 32-bit.  Note that most of the carries already used 64-bit
arithmetic, but the d4 -> h0 carry was different for some reason.

To be safe I also made the same change to the corresponding SSE2 code,
though that only operates on 1 or 2 blocks at a time.  I don't think
it's really needed for poly1305_block_sse2(), but it doesn't hurt
because it's already x86_64 code.  It *might* be needed for
poly1305_2block_sse2(), but overflows aren't easy to reproduce there.

This bug was originally detected by my patches that improve testmgr to
fuzz algorithms against their generic implementation.  But also add a
test vector which reproduces it directly (in the AVX2 case).

Fixes: b1ccc8f4b6 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64")
Fixes: c70f4abef0 ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64")
Cc: <stable@vger.kernel.org> # v4.3+
Cc: Martin Willi <martin@strongswan.org>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-27 09:36:37 +02:00
..
asymmetric_keys Replace magic for trusting the secondary keyring with #define 2018-08-16 09:57:20 -07:00
async_tx async_pq: Remove VLA usage 2018-06-18 20:17:38 +05:30
842.c crypto: acomp - add support for 842 via scomp 2016-10-25 11:08:33 +08:00
ablkcipher.c crypto: ablkcipher - fix crash flushing dcache in error path 2018-08-03 18:06:04 +08:00
acompress.c crypto: acomp - allow registration of multiple acomps 2017-04-21 20:30:50 +08:00
aead.c crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails 2019-03-23 20:09:54 +01:00
aegis.h crypto: aegis/generic - fix for big endian systems 2018-11-13 11:08:46 -08:00
aegis128.c crypto: aegis - fix handling chunked inputs 2019-03-23 20:09:54 +01:00
aegis128l.c crypto: aegis - fix handling chunked inputs 2019-03-23 20:09:54 +01:00
aegis256.c crypto: aegis - fix handling chunked inputs 2019-03-23 20:09:54 +01:00
aes_generic.c crypto: aes-generic - drop alignment requirement 2017-02-11 17:50:43 +08:00
aes_ti.c crypto: aes_ti - disable interrupts while accessing S-box 2019-02-12 19:46:58 +01:00
af_alg.c net: crypto set sk to NULL when af_alg_release. 2019-02-23 09:07:24 +01:00
ahash.c crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails 2019-03-23 20:09:54 +01:00
akcipher.c crypto: Replaced gcc specific attributes with macros from compiler.h 2017-01-13 00:24:39 +08:00
algapi.c crypto: api - laying defines and checks for statically allocated buffers 2018-04-21 00:58:32 +08:00
algboss.c crypto: algboss - remove redundant setting of len to zero 2017-10-07 12:10:34 +08:00
algif_aead.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
algif_hash.c net: remove sock_no_poll 2018-05-26 09:16:44 +02:00
algif_rng.c net: remove sock_no_poll 2018-05-26 09:16:44 +02:00
algif_skcipher.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
ansi_cprng.c crypto: ansi_cprng - Convert to new rng interface 2015-04-22 09:30:18 +08:00
anubis.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
api.c evm: Don't deadlock if a crypto algorithm is unavailable 2018-07-18 07:27:22 -04:00
arc4.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
authenc.c crypto: authenc - fix parsing key with misaligned rta_len 2019-01-22 21:40:32 +01:00
authencesn.c crypto: authencesn - Avoid twice completion call in decrypt path 2019-01-22 21:40:31 +01:00
blkcipher.c crypto: blkcipher - fix crash flushing dcache in error path 2018-08-03 18:06:04 +08:00
blowfish_common.c
blowfish_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
camellia_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast5_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast6_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast_common.c
cbc.c crypto: do not free algorithm before using 2018-12-13 09:16:21 +01:00
ccm.c crypto: ccm - preserve the IV buffer 2017-11-03 21:35:35 +08:00
cfb.c crypto: cfb - remove bogus memcpy() with src == dest 2019-03-23 20:09:40 +01:00
chacha20_generic.c crypto: chacha20 - Fix keystream alignment for chacha20_block() 2017-11-29 17:33:33 +11:00
chacha20poly1305.c crypto: chacha20poly1305 - validate the digest size 2017-12-22 19:02:33 +11:00
cipher.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
cmac.c crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic 2017-02-11 17:52:28 +08:00
compress.c crypto: api - Remove no-op exit_ops code 2016-10-21 11:03:42 +08:00
crc32_generic.c crypto: crc32-generic - remove __crc32_le() 2018-05-27 00:12:09 +08:00
crc32c_generic.c crypto: crc32c-generic - remove cra_alignmask 2018-05-27 00:12:08 +08:00
crct10dif_common.c
crct10dif_generic.c crypto: squash lines for simple wrapper functions 2016-09-13 20:27:26 +08:00
cryptd.c crypto: hash - annotate algorithms taking optional key 2018-01-12 23:03:35 +11:00
crypto_engine.c crypto: engine - Permit to enqueue all async requests 2018-02-15 23:26:50 +08:00
crypto_null.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
crypto_user.c crypto: user - fix leaking uninitialized memory to userspace 2018-11-21 09:19:24 +01:00
crypto_wq.c
ctr.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
cts.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
deflate.c crypto: scomp - add support for deflate rfc1950 (zlib) 2017-04-24 18:11:08 +08:00
des_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
dh.c crypto: dh - fix memory leak 2018-07-20 13:51:21 +08:00
dh_helper.c crypto: dh - make crypto_dh_encode_key() make robust 2018-08-03 18:06:06 +08:00
drbg.c crypto: drbg - in-place cipher operation for CTR 2018-08-03 18:05:48 +08:00
ecb.c crypto: include crypto- module prefix in template 2014-11-26 20:06:30 +08:00
ecc.c crypto: ecc - regularize scalar for scalar multiplication 2019-01-26 09:32:35 +01:00
ecc.h crypto: ecc - Actually remove stack VLA usage 2018-04-21 00:58:29 +08:00
ecc_curve_defs.h crypto: ecdh - fix typo of P-192 b value 2018-07-20 13:51:22 +08:00
ecdh.c crypto: ecc - Actually remove stack VLA usage 2018-04-21 00:58:29 +08:00
ecdh_helper.c crypto: ecdh - return unsigned value for crypto_ecdh_key_len() 2017-10-12 22:55:00 +08:00
echainiv.c crypto: echainiv - Remove unused alg/spawn variable 2017-12-22 19:52:45 +11:00
fcrypt.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
fips.c crypto: fips - Move fips_enabled sysctl into fips.c 2015-04-23 14:18:09 +08:00
gcm.c crypto: null - Get rid of crypto_{get,put}_default_null_skcipher2() 2017-12-22 19:29:08 +11:00
gf128mul.c crypto: gf128mul - remove incorrect comment 2017-12-22 19:52:40 +11:00
ghash-generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
hash_info.c keys, trusted: select hash algorithm for TPM2 chips 2015-12-20 15:27:12 +02:00
hmac.c crypto: hmac - require that the underlying hash algorithm is unkeyed 2017-11-29 13:39:15 +11:00
internal.h crypto: api - Make crypto_alg_lookup static 2018-03-31 01:32:58 +08:00
jitterentropy-kcapi.c crypto: jitterentropy - drop duplicate header module.h 2016-11-17 23:34:52 +08:00
jitterentropy.c crypto: jitterentropy - Delete unnecessary checks before the function call "kzfree" 2015-06-25 23:18:33 +08:00
Kconfig crypto: aes_ti - disable interrupts while accessing S-box 2019-02-12 19:46:58 +01:00
keywrap.c crypto: keywrap - Add missing ULL suffixes for 64-bit constants 2017-11-29 17:33:26 +11:00
khazad.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
kpp.c crypto: Replaced gcc specific attributes with macros from compiler.h 2017-01-13 00:24:39 +08:00
lrw.c crypto: lrw - Fix out-of bounds access on counter overflow 2018-11-13 11:08:45 -08:00
lz4.c crypto: lz4 - fixed decompress function to return error code 2017-04-10 19:17:27 +08:00
lz4hc.c crypto: lz4 - fixed decompress function to return error code 2017-04-10 19:17:27 +08:00
lzo.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
Makefile crypto: speck - remove Speck 2018-11-13 11:08:46 -08:00
mcryptd.c crypto: mcryptd - remove pointless wrapper functions 2018-02-15 23:26:45 +08:00
md4.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
md5.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
memneq.c
michael_mic.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
morus640.c crypto: morus - fix handling chunked inputs 2019-03-23 20:09:54 +01:00
morus1280.c crypto: morus - fix handling chunked inputs 2019-03-23 20:09:54 +01:00
pcbc.c crypto: pcbc - remove bogus memcpy()s with src == dest 2019-03-23 20:09:55 +01:00
pcrypt.c crypto: pcrypt - fix freeing pcrypt instances 2017-12-22 19:02:47 +11:00
poly1305_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
proc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
ripemd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rmd128.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
rmd160.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
rmd256.c crypto: rmd256 - use swap macro in rmd256_transform 2018-07-27 19:28:36 +08:00
rmd320.c crypto: rmd320 - use swap macro in rmd320_transform 2018-07-27 19:28:36 +08:00
rng.c crypto: rng - ensure that the RNG is ready before using 2017-07-28 17:56:00 +08:00
rsa-pkcs1pad.c crypto: rsa-pkcs1pad - Replace GFP_ATOMIC with GFP_KERNEL in pkcs1pad_encrypt_sign_complete 2018-02-15 23:26:47 +08:00
rsa.c crypto: rsa - Remove unneeded error assignment 2018-04-21 00:58:37 +08:00
rsa_helper.c kbuild: rename *-asn1.[ch] to *.asn1.[ch] 2018-04-07 19:04:02 +09:00
rsaprivkey.asn1 crypto: rsa - Store rest of the private key components 2016-07-05 23:05:26 +08:00
rsapubkey.asn1 crypto: akcipher - Changes to asymmetric key API 2015-10-14 22:23:16 +08:00
salsa20_generic.c crypto: salsa20 - Revert "crypto: salsa20 - export generic helpers" 2018-05-31 00:13:57 +08:00
scatterwalk.c crypto: scatterwalk - remove 'chain' argument from scatterwalk_crypto_chain() 2018-08-03 18:06:03 +08:00
scompress.c crypto: scompress - use sgl_alloc() and sgl_free() 2018-01-06 09:18:00 -07:00
seed.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
seqiv.c crypto: seqiv - Remove unused alg/spawn variable 2017-12-22 19:52:45 +11:00
serpent_generic.c crypto: serpent - improve __serpent_setkey with UBSAN 2017-08-09 20:17:54 +08:00
sha1_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha3_generic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux 2018-08-03 17:55:12 +08:00
sha256_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha512_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
shash.c crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails 2019-03-23 20:09:54 +01:00
simd.c crypto: simd - correctly take reqsize of wrapped skcipher into account 2018-12-01 09:37:32 +01:00
skcipher.c crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails 2019-03-23 20:09:55 +01:00
sm3_generic.c crypto: sm3 - fix undefined shift by >= width of value 2019-01-22 21:40:31 +01:00
sm4_generic.c crypto: sm4 - export encrypt/decrypt routines to other drivers 2018-05-05 14:52:51 +08:00
tcrypt.c crypto: testmgr - add AES-CFB tests 2019-01-09 17:38:44 +01:00
tcrypt.h crypto: tcrypt - Add ChaCha20/Poly1305 speed tests 2015-07-17 21:20:20 +08:00
tea.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
testmgr.c crypto: testmgr - skip crc32c context test for ahash algorithms 2019-03-23 20:09:55 +01:00
testmgr.h crypto: x86/poly1305 - fix overflow during partial reduction 2019-04-27 09:36:37 +02:00
tgr192.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
twofish_common.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
twofish_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
vmac.c crypto: vmac - remove insecure version with hardcoded nonce 2018-07-01 21:00:44 +08:00
wp512.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
xcbc.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
xor.c kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK 2017-11-15 18:21:04 -08:00
xts.c crypto: scatterwalk - remove 'chain' argument from scatterwalk_crypto_chain() 2018-08-03 18:06:03 +08:00
zstd.c crypto: zstd - Add zstd support 2018-04-21 00:58:30 +08:00