RE: [PATCH] crypto: xts - Add support for Cipher Text Stealing

From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
To: Milan Broz <gmazyland@gmail.com>,
	Pascal van Leeuwen <pascalvanl@gmail.com>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Cc: "rsnel@cube.dyndns.org" <rsnel@cube.dyndns.org>,
	"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
	"davem@davemloft.net" <davem@davemloft.net>
Subject: RE: [PATCH] crypto: xts - Add support for Cipher Text Stealing
Date: Wed, 7 Aug 2019 20:26:08 +0000	[thread overview]
Message-ID: <MN2PR20MB297332EBE274E016AB90D58ACAD40@MN2PR20MB2973.namprd20.prod.outlook.com> (raw)
In-Reply-To: <46f76b06-004e-c08a-3ef3-4ba9fdc61d91@gmail.com>

> -----Original Message-----
> From: Milan Broz <gmazyland@gmail.com>
> Sent: Wednesday, August 7, 2019 7:24 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>; Pascal van Leeuwen
> <pascalvanl@gmail.com>; linux-crypto@vger.kernel.org
> Cc: rsnel@cube.dyndns.org; herbert@gondor.apana.org.au; davem@davemloft.net
> Subject: Re: [PATCH] crypto: xts - Add support for Cipher Text Stealing
> 
> On 07/08/2019 17:13, Pascal Van Leeuwen wrote:
> >>>> Seems there is no mistake in your code, it is some bug in aesni_intel implementation.
> >>>> If I disable this module, it works as expected (with aes generic and aes_i586).
> >>>>
> >>> That's odd though, considering there is a dedicated xts-aes-ni implementation,
> >>> i.e. I would not expect that to end up at the generic xts wrapper at all?
> >>
> >> Note it is 32bit system, AESNI XTS is under #ifdef CONFIG_X86_64 so it is not used.
> >>
> > Ok, so I guess no one bothered to make an optimized XTS version for i386.
> > I quickly browsed through the code - took me a while to realise the assembly is
> > "backwards" compared to the original Intel definition :-) - but I did not spot
> > anything obvious :-(
> >
> >> I guess it only ECB part ...
> 
> Mystery solved, the skcipher subreq must be te last member in the struct.
> (Some comments in Adiantum code mentions it too, so I do not think it
> just hides the corruption after the struct. Seems like another magic requirement
> in crypto API :-)
> 
> This chunk is enough to fix it for me:
> 
> --- a/crypto/xts.c
> +++ b/crypto/xts.c
> @@ -33,8 +33,8 @@ struct xts_instance_ctx {
> 
>  struct rctx {
>         le128 t, tcur;
> -       struct skcipher_request subreq;
>         int rem_bytes, is_encrypt;
> +       struct skcipher_request subreq;
>  };
> 
> While at it, shouldn't be is_encrypt bool?
> 
> Thanks,
> Milan
While I do understand how that prevents corruption of rem_bytes and 
is_encrypt, doesn't that just *hide* the issue?

The memory beyond the end of the rctx struct is not allocated as far
as I can tell, so how can you legally write there?

I hope someone can explain this to me.

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com