| From eaf46edf6ea89675bd36245369c8de5063a0272c Mon Sep 17 00:00:00 2001 |
| From: Ard Biesheuvel <ard.biesheuvel@linaro.org> |
| Date: Thu, 24 Jan 2019 17:33:45 +0100 |
| Subject: crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling |
| |
| From: Ard Biesheuvel <ard.biesheuvel@linaro.org> |
| |
| commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream. |
| |
| The NEON MAC calculation routine fails to handle the case correctly |
| where there is some data in the buffer, and the input fills it up |
| exactly. In this case, we enter the loop at the end with w8 == 0, |
| while a negative value is assumed, and so the loop carries on until |
| the increment of the 32-bit counter wraps around, which is quite |
| obviously wrong. |
| |
| So omit the loop altogether in this case, and exit right away. |
| |
| Reported-by: Eric Biggers <ebiggers@kernel.org> |
| Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/arch/arm64/crypto/aes-ce-ccm-core.S |
| +++ b/arch/arm64/crypto/aes-ce-ccm-core.S |
| @@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data) |
| beq 10f |
| ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */ |
| b 7b |
| -8: mov w7, w8 |
| +8: cbz w8, 91f |
| + mov w7, w8 |
| add w8, w8, #16 |
| 9: ext v1.16b, v1.16b, v1.16b, #1 |
| adds w7, w7, #1 |
| bne 9b |
| - eor v0.16b, v0.16b, v1.16b |
| +91: eor v0.16b, v0.16b, v1.16b |
| st1 {v0.16b}, [x0] |
| 10: str w8, [x3] |
| ret |