From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B71CC54EAA for ; Mon, 30 Jan 2023 07:34:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232549AbjA3Hey (ORCPT ); Mon, 30 Jan 2023 02:34:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229675AbjA3Hev (ORCPT ); Mon, 30 Jan 2023 02:34:51 -0500 Received: from out30-124.freemail.mail.aliyun.com (out30-124.freemail.mail.aliyun.com [115.124.30.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A8F8193D7; Sun, 29 Jan 2023 23:34:48 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R891e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045170;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=8;SR=0;TI=SMTPD_---0VaP80-u_1675064083; Received: from 30.240.100.113(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0VaP80-u_1675064083) by smtp.aliyun-inc.com; Mon, 30 Jan 2023 15:34:44 +0800 Message-ID: Date: Mon, 30 Jan 2023 15:34:42 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1 Subject: Re: [PATCH] crypto: arm64/sm4 - Fix possible crash in GCM cryption Content-Language: en-US To: Herbert Xu Cc: "David S. Miller" , Catalin Marinas , Will Deacon , linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Ard Biesheuvel References: <20230118141928.48136-1-tianjia.zhang@linux.alibaba.com> From: Tianjia Zhang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Herbert, On 1/18/23 10:54 PM, Herbert Xu wrote: > On Wed, Jan 18, 2023 at 10:19:28PM +0800, Tianjia Zhang wrote: >> When the cryption total length is zero, GCM cryption call >> skcipher_walk_done() will cause an unexpected crash, so skip calling >> this function to avoid possible crash when the GCM cryption length >> is equal to zero. >> >> Fixes: ae1b83c7d572 ("crypto: arm64/sm4 - add CE implementation for GCM mode") >> Signed-off-by: Tianjia Zhang >> --- >> arch/arm64/crypto/sm4-ce-gcm-glue.c | 12 +++++++----- >> 1 file changed, 7 insertions(+), 5 deletions(-) >> >> diff --git a/arch/arm64/crypto/sm4-ce-gcm-glue.c b/arch/arm64/crypto/sm4-ce-gcm-glue.c >> index c450a2025ca9..9b63bcf9aa85 100644 >> --- a/arch/arm64/crypto/sm4-ce-gcm-glue.c >> +++ b/arch/arm64/crypto/sm4-ce-gcm-glue.c >> @@ -178,11 +178,13 @@ static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk, >> >> kernel_neon_end(); >> >> - err = skcipher_walk_done(walk, tail); >> - if (err) >> - return err; >> - if (walk->nbytes) >> - kernel_neon_begin(); >> + if (walk->nbytes) { > > Please do > if (!walk->nbytes) > break; Thanks for the suggestion, a new patch has been sent. > > As an additional improvement, the tail calculation can be removed > entirely because you already set the chunksize so the walker should > only be feeding you multiples of chunksize except at the end. > > Cheers I printed the walk->nbytes of each iteration of the walker, it is not always multiples of chunksize except at the end when the algorithm test manager is turned on. For example, during a GCM encryption process, I get data like this: total = 4014, nbytes = 2078, tail = 14 total = 1950, nbytes = 16, tail = 0 total = 1934, nbytes = 311, tail = 7 total = 1630, nbytes = 16, tail = 0 total = 1614, nbytes = 16, tail = 0 total = 1598, nbytes = 1598, tail = 14 Is my understanding wrong? Best regards, Tianjia From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 66E3CC54EED for ; Mon, 30 Jan 2023 07:37:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=HX5jLSG7cBMh1vIOornRQWeZbDBsUAbH/yJ5yd8X/ds=; b=iFZgCftFVRpngx ap9A4UyKDRDzPtCbsrGhmiZoRkoVlo1blPBX0R+6RFX5DpXjm7arDhewgUp4dsiitSHfNtldFb60u yLQbWuSmaMZNv2YXkEfB7NptF5KiiwQax2nGPz9/L458De8ZMUPx1rhuSs2uvXHtn2/eHbthGcSgn 7nY/0d4FdJUCvqW4aWdldGo1R8JiX3qaFCF+QXxl5i8uVJbAoXehv60wX4HEn0LLUnZU6VK7nPW4d 0I8Hpw9v1/6rjnHLMJJeAvylaEtBZcZmsS8UsbRPPwXFS2x3vNqFOteu9TJRW2QhI/1gFrFfTk0YD PFK6xEFcos4y5enmFTeA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pMOha-002Yro-Dy; Mon, 30 Jan 2023 07:35:42 +0000 Received: from out30-1.freemail.mail.aliyun.com ([115.124.30.1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pMOgr-002YpQ-Hu for linux-arm-kernel@lists.infradead.org; Mon, 30 Jan 2023 07:35:00 +0000 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R891e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045170;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=8;SR=0;TI=SMTPD_---0VaP80-u_1675064083; Received: from 30.240.100.113(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0VaP80-u_1675064083) by smtp.aliyun-inc.com; Mon, 30 Jan 2023 15:34:44 +0800 Message-ID: Date: Mon, 30 Jan 2023 15:34:42 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1 Subject: Re: [PATCH] crypto: arm64/sm4 - Fix possible crash in GCM cryption Content-Language: en-US To: Herbert Xu Cc: "David S. Miller" , Catalin Marinas , Will Deacon , linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Ard Biesheuvel References: <20230118141928.48136-1-tianjia.zhang@linux.alibaba.com> From: Tianjia Zhang In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230129_233457_827566_17332DD0 X-CRM114-Status: GOOD ( 20.89 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Herbert, On 1/18/23 10:54 PM, Herbert Xu wrote: > On Wed, Jan 18, 2023 at 10:19:28PM +0800, Tianjia Zhang wrote: >> When the cryption total length is zero, GCM cryption call >> skcipher_walk_done() will cause an unexpected crash, so skip calling >> this function to avoid possible crash when the GCM cryption length >> is equal to zero. >> >> Fixes: ae1b83c7d572 ("crypto: arm64/sm4 - add CE implementation for GCM mode") >> Signed-off-by: Tianjia Zhang >> --- >> arch/arm64/crypto/sm4-ce-gcm-glue.c | 12 +++++++----- >> 1 file changed, 7 insertions(+), 5 deletions(-) >> >> diff --git a/arch/arm64/crypto/sm4-ce-gcm-glue.c b/arch/arm64/crypto/sm4-ce-gcm-glue.c >> index c450a2025ca9..9b63bcf9aa85 100644 >> --- a/arch/arm64/crypto/sm4-ce-gcm-glue.c >> +++ b/arch/arm64/crypto/sm4-ce-gcm-glue.c >> @@ -178,11 +178,13 @@ static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk, >> >> kernel_neon_end(); >> >> - err = skcipher_walk_done(walk, tail); >> - if (err) >> - return err; >> - if (walk->nbytes) >> - kernel_neon_begin(); >> + if (walk->nbytes) { > > Please do > if (!walk->nbytes) > break; Thanks for the suggestion, a new patch has been sent. > > As an additional improvement, the tail calculation can be removed > entirely because you already set the chunksize so the walker should > only be feeding you multiples of chunksize except at the end. > > Cheers I printed the walk->nbytes of each iteration of the walker, it is not always multiples of chunksize except at the end when the algorithm test manager is turned on. For example, during a GCM encryption process, I get data like this: total = 4014, nbytes = 2078, tail = 14 total = 1950, nbytes = 16, tail = 0 total = 1934, nbytes = 311, tail = 7 total = 1630, nbytes = 16, tail = 0 total = 1614, nbytes = 16, tail = 0 total = 1598, nbytes = 1598, tail = 14 Is my understanding wrong? Best regards, Tianjia _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel