1. 30 May, 2019 1 commit
  2. 17 May, 2019 4 commits
    • Daniel Axtens's avatar
      crypto: vmx - ghash: do nosimd fallback manually · 357d065a
      Daniel Axtens authored
      VMX ghash was using a fallback that did not support interleaving simd
      and nosimd operations, leading to failures in the extended test suite.
      
      If I understood correctly, Eric's suggestion was to use the same
      data format that the generic code uses, allowing us to call into it
      with the same contexts. I wasn't able to get that to work - I think
      there's a very different key structure and data layout being used.
      
      So instead steal the arm64 approach and perform the fallback
      operations directly if required.
      
      Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      357d065a
    • Daniel Axtens's avatar
      crypto: vmx - CTR: always increment IV as quadword · 009b30ac
      Daniel Axtens authored
      The kernel self-tests picked up an issue with CTR mode:
      alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
      
      Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so
      after 3 increments it should wrap around to 0.
      
      In the aesp8-ppc code from OpenSSL, there are two paths that
      increment IVs: the bulk (8 at a time) path, and the individual
      path which is used when there are fewer than 8 AES blocks to
      process.
      
      In the bulk path, the IV is incremented with vadduqm: "Vector
      Add Unsigned Quadword Modulo", which does 128-bit addition.
      
      In the individual path, however, the IV is incremented with
      vadduwm: "Vector Add Unsigned Word Modulo", which instead
      does 4 32-bit additions. Thus the IV would instead become
      FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result.
      
      Use vadduqm.
      
      This was probably a typo originally, what with q and w being
      adjacent. It is a pretty narrow edge case: I am really
      impressed by the quality of the kernel self-tests!
      
      Fixes: 5c380d62 ("crypto: vmx - Add support for VMS instructions by ASM")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Acked-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      009b30ac
    • Eric Biggers's avatar
      crypto: hash - fix incorrect HASH_MAX_DESCSIZE · e1354400
      Eric Biggers authored
      The "hmac(sha3-224-generic)" algorithm has a descsize of 368 bytes,
      which is greater than HASH_MAX_DESCSIZE (360) which is only enough for
      sha3-224-generic.  The check in shash_prepare_alg() doesn't catch this
      because the HMAC template doesn't set descsize on the algorithms, but
      rather sets it on each individual HMAC transform.
      
      This causes a stack buffer overflow when SHASH_DESC_ON_STACK() is used
      with hmac(sha3-224-generic).
      
      Fix it by increasing HASH_MAX_DESCSIZE to the real maximum.  Also add a
      sanity check to hmac_init().
      
      This was detected by the improved crypto self-tests in v5.2, by loading
      the tcrypt module with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y enabled.  I
      didn't notice this bug when I ran the self-tests by requesting the
      algorithms via AF_ALG (i.e., not using tcrypt), probably because the
      stack layout differs in the two cases and that made a difference here.
      
      KASAN report:
      
          BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:359 [inline]
          BUG: KASAN: stack-out-of-bounds in shash_default_import+0x52/0x80 crypto/shash.c:223
          Write of size 360 at addr ffff8880651defc8 by task insmod/3689
      
          CPU: 2 PID: 3689 Comm: insmod Tainted: G            E     5.1.0-10741-g35c99ffa #11
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
          Call Trace:
           __dump_stack lib/dump_stack.c:77 [inline]
           dump_stack+0x86/0xc5 lib/dump_stack.c:113
           print_address_description+0x7f/0x260 mm/kasan/report.c:188
           __kasan_report+0x144/0x187 mm/kasan/report.c:317
           kasan_report+0x12/0x20 mm/kasan/common.c:614
           check_memory_region_inline mm/kasan/generic.c:185 [inline]
           check_memory_region+0x137/0x190 mm/kasan/generic.c:191
           memcpy+0x37/0x50 mm/kasan/common.c:125
           memcpy include/linux/string.h:359 [inline]
           shash_default_import+0x52/0x80 crypto/shash.c:223
           crypto_shash_import include/crypto/hash.h:880 [inline]
           hmac_import+0x184/0x240 crypto/hmac.c:102
           hmac_init+0x96/0xc0 crypto/hmac.c:107
           crypto_shash_init include/crypto/hash.h:902 [inline]
           shash_digest_unaligned+0x9f/0xf0 crypto/shash.c:194
           crypto_shash_digest+0xe9/0x1b0 crypto/shash.c:211
           generate_random_hash_testvec.constprop.11+0x1ec/0x5b0 crypto/testmgr.c:1331
           test_hash_vs_generic_impl+0x3f7/0x5c0 crypto/testmgr.c:1420
           __alg_test_hash+0x26d/0x340 crypto/testmgr.c:1502
           alg_test_hash+0x22e/0x330 crypto/testmgr.c:1552
           alg_test.part.7+0x132/0x610 crypto/testmgr.c:4931
           alg_test+0x1f/0x40 crypto/testmgr.c:4952
      
      Fixes: b68a7ec1 ("crypto: hash - Remove VLA usage")
      Reported-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Cc: <stable@vger.kernel.org> # v4.20+
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e1354400
    • Iuliana Prodan's avatar
      crypto: caam - fix typo in i.MX6 devices list for errata · 4fa0b1f9
      Iuliana Prodan authored
      Fix a typo in the list of i.MX6 devices affected by an
      issue wherein AXI bus transactions may not occur in
      the correct order.
      
      Fixes: 33d69455 ("crypto: caam - limit AXI pipeline to a depth of
      1")
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4fa0b1f9
  3. 09 May, 2019 7 commits
  4. 03 May, 2019 16 commits
  5. 25 Apr, 2019 12 commits