From patchwork Thu Apr 11 22:36:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1922727 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VFvgX6P5yz1yYs for ; Fri, 12 Apr 2024 08:36:24 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rv31m-0005Fu-Jv; Thu, 11 Apr 2024 22:36:18 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rv31j-0005DO-Ac for kernel-team@lists.ubuntu.com; Thu, 11 Apr 2024 22:36:15 +0000 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 16B6C40D77 for ; Thu, 11 Apr 2024 22:36:15 +0000 (UTC) Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-36a0d9d820cso3461885ab.0 for ; Thu, 11 Apr 2024 15:36:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712874974; x=1713479774; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tZHkaGwG9CpKJ7RUBg3r6s3pvj0sl4uoTWPy5v4ooD8=; b=XblVbS4DKqCqk0E8VOz2cqnFJ8nHQ260bQf5vvWDumYt2gUKMqVS/RNqsqPgnsiZ1r oSCVRIsZDu1kv+H5vLVIfksG+fyh7XY3bAncmNkrqjXHYDAc11pn57FSJyADb8Q1q3BO WI1r2egrOo49S2rMezgerHPPUY3ClcGVJvSzGcGtE6502spIkOG9nEXe9vApsHgt2ADt SFShNRW9i+2yZAh61RaS96hH15Go+PrEAHiA6f0XkJlQ5oDs4k6UB92RzKod0ZP9XnY5 G/A11Uqz7EQ6uIIfaJUGY7nLxWBV/xW9Rszzl3/CM9Z6WP4V3s687ivRzdyS83IX3NYZ EjHA== X-Gm-Message-State: AOJu0Ywy8t8lNMkCXRKNG95kWBBUIat7XzVqoDe7jpJtMG67/THFWyo+ sWhGI/et/ZwtGjYFGdbsEo4zJAjqUgSVd9OFpQefde0HkM2Q2JNlQBxKYmMc1rCl+kwsfFCPNQv /hQC6wKVTPxJgdXBXRHJvo/j2VH9yH2T9IFemzw0eMkIovA70DQVixlWt68l0nyUwXLNlzd4ftb A2Y8zqGzZd2Q== X-Received: by 2002:a92:c241:0:b0:36b:46b:1340 with SMTP id k1-20020a92c241000000b0036b046b1340mr1131318ilo.5.1712874973760; Thu, 11 Apr 2024 15:36:13 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGmSj3fVNPsf2LjEuSiyyxNhFdVq+qygxMM+L1qz6BCQhL2wcYpbYfaJ/BsU5Si+E0Q/Ps0og== X-Received: by 2002:a92:c241:0:b0:36b:46b:1340 with SMTP id k1-20020a92c241000000b0036b046b1340mr1131315ilo.5.1712874973485; Thu, 11 Apr 2024 15:36:13 -0700 (PDT) Received: from smtp.gmail.com (209-50-27-115.lnk02.ne.dynamic.allophone.net. [209.50.27.115]) by smtp.gmail.com with ESMTPSA id n12-20020a92dd0c000000b0036afd85c1d6sm579243ilm.26.2024.04.11.15.36.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 15:36:13 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 1/1] crypto: arm64/neonbs - fix out-of-bounds access on short input Date: Thu, 11 Apr 2024 17:36:11 -0500 Message-Id: <20240411223611.37519-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240411223611.37519-1-bethany.jamison@canonical.com> References: <20240411223611.37519-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ard Biesheuvel The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs. Fixes: fc074e130051 ("crypto: arm64/aes-neonbs-ctr - fallback to plain NEON for final chunk") Cc: Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com Reviewed-by: Eric Biggers Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu (cherry picked from commit 1c0cf6d19690141002889d72622b90fc01562ce4) CVE-2024-26789 Signed-off-by: Bethany Jamison --- arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c index bac4cabef6073..467ac2f768ac2 100644 --- a/arch/arm64/crypto/aes-neonbs-glue.c +++ b/arch/arm64/crypto/aes-neonbs-glue.c @@ -227,8 +227,19 @@ static int ctr_encrypt(struct skcipher_request *req) src += blocks * AES_BLOCK_SIZE; } if (nbytes && walk.nbytes == walk.total) { + u8 buf[AES_BLOCK_SIZE]; + u8 *d = dst; + + if (unlikely(nbytes < AES_BLOCK_SIZE)) + src = dst = memcpy(buf + sizeof(buf) - nbytes, + src, nbytes); + neon_aes_ctr_encrypt(dst, src, ctx->enc, ctx->key.rounds, nbytes, walk.iv); + + if (unlikely(nbytes < AES_BLOCK_SIZE)) + memcpy(d, dst, nbytes); + nbytes = 0; } kernel_neon_end();