Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux>
  3. Kernel
[PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes
stefanb at linux
Apr 26, 2024, 3:55 PM
Post #1 of 9 (9 views)
Permalink
Protect ecc_digits_from_bytes from reading too many bytes from the input
byte array in case an insufficient number of bytes is provided to fill the
output digit array of ndigits. Therefore, initialize the most significant
digits with 0 to avoid trying to read too many bytes later on.

If too many bytes are provided on the input byte array the extra bytes
are ignored since the input variable 'ndigits' limits the number of digits
that will be filled.

Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
include/crypto/internal/ecc.h | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
index 7ca1f463d1ec..56215f14ff96 100644
--- a/include/crypto/internal/ecc.h
+++ b/include/crypto/internal/ecc.h
@@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
u64 *out, unsigned int ndigits)
{
+ int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
unsigned int o = nbytes & 7;
__be64 msd = 0;

+ /* diff > 0: not enough input bytes: set most significant digits to 0 */
+ while (diff > 0) {
+ out[--ndigits] = 0;
+ diff--;
+ }
+
if (o) {
memcpy((u8 *)&msd + sizeof(msd) - o, in, o);
out[--ndigits] = be64_to_cpu(msd);
--
2.43.0
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
jarkko at kernel
Apr 28, 2024, 3:12 PM
Post #2 of 9 (6 views)
Permalink
On Sat Apr 27, 2024 at 1:55 AM EEST, Stefan Berger wrote:
> Protect ecc_digits_from_bytes from reading too many bytes from the input
> byte array in case an insufficient number of bytes is provided to fill the
> output digit array of ndigits. Therefore, initialize the most significant
> digits with 0 to avoid trying to read too many bytes later on.
>
> If too many bytes are provided on the input byte array the extra bytes
> are ignored since the input variable 'ndigits' limits the number of digits
> that will be filled.
>
> Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> include/crypto/internal/ecc.h | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
> index 7ca1f463d1ec..56215f14ff96 100644
> --- a/include/crypto/internal/ecc.h
> +++ b/include/crypto/internal/ecc.h
> @@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
> static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
> u64 *out, unsigned int ndigits)
> {
> + int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
> unsigned int o = nbytes & 7;
> __be64 msd = 0;
>
> + /* diff > 0: not enough input bytes: set most significant digits to 0 */
> + while (diff > 0) {
> + out[--ndigits] = 0;
> + diff--;
> + }

Could be just trivial for-loop:

for (i = 0; i < diff; i++)
out[--ndigits] = 0;

Or also simpler while-loop could work:

while (diff-- > 0)
out[--ndigits] = 0;

BR, Jarkko
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
lukas at wunner
Apr 28, 2024, 8:30 PM
Post #3 of 9 (6 views)
Permalink
On Mon, Apr 29, 2024 at 01:12:00AM +0300, Jarkko Sakkinen wrote:
> On Sat Apr 27, 2024 at 1:55 AM EEST, Stefan Berger wrote:
> > Protect ecc_digits_from_bytes from reading too many bytes from the input
> > byte array in case an insufficient number of bytes is provided to fill the
> > output digit array of ndigits. Therefore, initialize the most significant
> > digits with 0 to avoid trying to read too many bytes later on.
> >
> > If too many bytes are provided on the input byte array the extra bytes
> > are ignored since the input variable 'ndigits' limits the number of digits
> > that will be filled.
> >
> > Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > ---
> > include/crypto/internal/ecc.h | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
> > index 7ca1f463d1ec..56215f14ff96 100644
> > --- a/include/crypto/internal/ecc.h
> > +++ b/include/crypto/internal/ecc.h
> > @@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
> > static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
> > u64 *out, unsigned int ndigits)
> > {
> > + int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
> > unsigned int o = nbytes & 7;
> > __be64 msd = 0;
> >
> > + /* diff > 0: not enough input bytes: set most significant digits to 0 */
> > + while (diff > 0) {
> > + out[--ndigits] = 0;
> > + diff--;
> > + }
>
> Could be just trivial for-loop:
>
> for (i = 0; i < diff; i++)
> out[--ndigits] = 0;
>
> Or also simpler while-loop could work:
>
> while (diff-- > 0)
> out[--ndigits] = 0;

Or just use memset(), which uses optimized instructions on many arches.
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
jarkko at kernel
Apr 29, 2024, 3:14 AM
Post #4 of 9 (6 views)
Permalink
On Mon Apr 29, 2024 at 6:30 AM EEST, Lukas Wunner wrote:
> On Mon, Apr 29, 2024 at 01:12:00AM +0300, Jarkko Sakkinen wrote:
> > On Sat Apr 27, 2024 at 1:55 AM EEST, Stefan Berger wrote:
> > > Protect ecc_digits_from_bytes from reading too many bytes from the input
> > > byte array in case an insufficient number of bytes is provided to fill the
> > > output digit array of ndigits. Therefore, initialize the most significant
> > > digits with 0 to avoid trying to read too many bytes later on.
> > >
> > > If too many bytes are provided on the input byte array the extra bytes
> > > are ignored since the input variable 'ndigits' limits the number of digits
> > > that will be filled.
> > >
> > > Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > ---
> > > include/crypto/internal/ecc.h | 7 +++++++
> > > 1 file changed, 7 insertions(+)
> > >
> > > diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
> > > index 7ca1f463d1ec..56215f14ff96 100644
> > > --- a/include/crypto/internal/ecc.h
> > > +++ b/include/crypto/internal/ecc.h
> > > @@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
> > > static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
> > > u64 *out, unsigned int ndigits)
> > > {
> > > + int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
> > > unsigned int o = nbytes & 7;
> > > __be64 msd = 0;
> > >
> > > + /* diff > 0: not enough input bytes: set most significant digits to 0 */
> > > + while (diff > 0) {
> > > + out[--ndigits] = 0;
> > > + diff--;
> > > + }
> >
> > Could be just trivial for-loop:
> >
> > for (i = 0; i < diff; i++)
> > out[--ndigits] = 0;
> >
> > Or also simpler while-loop could work:
> >
> > while (diff-- > 0)
> > out[--ndigits] = 0;
>
> Or just use memset(), which uses optimized instructions on many arches.

Yeah, sure, that would be even better, or even memzero_explicit()?

BR, Jarkko
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
stefanb at linux
Apr 29, 2024, 4:11 AM
Post #5 of 9 (6 views)
Permalink
On 4/29/24 06:14, Jarkko Sakkinen wrote:
> On Mon Apr 29, 2024 at 6:30 AM EEST, Lukas Wunner wrote:
>> On Mon, Apr 29, 2024 at 01:12:00AM +0300, Jarkko Sakkinen wrote:
>>> On Sat Apr 27, 2024 at 1:55 AM EEST, Stefan Berger wrote:
>>>> Protect ecc_digits_from_bytes from reading too many bytes from the input
>>>> byte array in case an insufficient number of bytes is provided to fill the
>>>> output digit array of ndigits. Therefore, initialize the most significant
>>>> digits with 0 to avoid trying to read too many bytes later on.
>>>>
>>>> If too many bytes are provided on the input byte array the extra bytes
>>>> are ignored since the input variable 'ndigits' limits the number of digits
>>>> that will be filled.
>>>>
>>>> Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
>>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>>> ---
>>>> include/crypto/internal/ecc.h | 7 +++++++
>>>> 1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
>>>> index 7ca1f463d1ec..56215f14ff96 100644
>>>> --- a/include/crypto/internal/ecc.h
>>>> +++ b/include/crypto/internal/ecc.h
>>>> @@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
>>>> static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
>>>> u64 *out, unsigned int ndigits)
>>>> {
>>>> + int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
>>>> unsigned int o = nbytes & 7;
>>>> __be64 msd = 0;
>>>>
>>>> + /* diff > 0: not enough input bytes: set most significant digits to 0 */
>>>> + while (diff > 0) {
>>>> + out[--ndigits] = 0;
>>>> + diff--;
>>>> + }
>>>
>>> Could be just trivial for-loop:
>>>
>>> for (i = 0; i < diff; i++)
>>> out[--ndigits] = 0;
>>>
>>> Or also simpler while-loop could work:
>>>
>>> while (diff-- > 0)
>>> out[--ndigits] = 0;
>>
>> Or just use memset(), which uses optimized instructions on many arches.
>
> Yeah, sure, that would be even better, or even memzero_explicit()?

Thanks. The function isn't getting too big for an inline?

>
> BR, Jarkko
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
jarkko at kernel
Apr 29, 2024, 6:12 AM
Post #6 of 9 (4 views)
Permalink
On Mon Apr 29, 2024 at 2:11 PM EEST, Stefan Berger wrote:
>
>
> On 4/29/24 06:14, Jarkko Sakkinen wrote:
> > On Mon Apr 29, 2024 at 6:30 AM EEST, Lukas Wunner wrote:
> >> On Mon, Apr 29, 2024 at 01:12:00AM +0300, Jarkko Sakkinen wrote:
> >>> On Sat Apr 27, 2024 at 1:55 AM EEST, Stefan Berger wrote:
> >>>> Protect ecc_digits_from_bytes from reading too many bytes from the input
> >>>> byte array in case an insufficient number of bytes is provided to fill the
> >>>> output digit array of ndigits. Therefore, initialize the most significant
> >>>> digits with 0 to avoid trying to read too many bytes later on.
> >>>>
> >>>> If too many bytes are provided on the input byte array the extra bytes
> >>>> are ignored since the input variable 'ndigits' limits the number of digits
> >>>> that will be filled.
> >>>>
> >>>> Fixes: d67c96fb97b5 ("crypto: ecdsa - Convert byte arrays with key coordinates to digits")
> >>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >>>> ---
> >>>> include/crypto/internal/ecc.h | 7 +++++++
> >>>> 1 file changed, 7 insertions(+)
> >>>>
> >>>> diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
> >>>> index 7ca1f463d1ec..56215f14ff96 100644
> >>>> --- a/include/crypto/internal/ecc.h
> >>>> +++ b/include/crypto/internal/ecc.h
> >>>> @@ -67,9 +67,16 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit
> >>>> static inline void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
> >>>> u64 *out, unsigned int ndigits)
> >>>> {
> >>>> + int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
> >>>> unsigned int o = nbytes & 7;
> >>>> __be64 msd = 0;
> >>>>
> >>>> + /* diff > 0: not enough input bytes: set most significant digits to 0 */
> >>>> + while (diff > 0) {
> >>>> + out[--ndigits] = 0;
> >>>> + diff--;
> >>>> + }
> >>>
> >>> Could be just trivial for-loop:
> >>>
> >>> for (i = 0; i < diff; i++)
> >>> out[--ndigits] = 0;
> >>>
> >>> Or also simpler while-loop could work:
> >>>
> >>> while (diff-- > 0)
> >>> out[--ndigits] = 0;
> >>
> >> Or just use memset(), which uses optimized instructions on many arches.
> >
> > Yeah, sure, that would be even better, or even memzero_explicit()?
>
> Thanks. The function isn't getting too big for an inline?

Hmm... so as far as I'm concerned you pick what works for you. Just
was pointing out at it would make to simplify the original a bit :-)

BR, Jarkko
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
herbert at gondor
May 3, 2024, 3:30 AM
Post #7 of 9 (2 views)
Permalink
On Mon, Apr 29, 2024 at 01:14:15PM +0300, Jarkko Sakkinen wrote:
>
> Yeah, sure, that would be even better, or even memzero_explicit()?

memzero_explicit should only be used for stack memory.

Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
jarkko at kernel
May 3, 2024, 4:49 PM
Post #8 of 9 (2 views)
Permalink
On Fri May 3, 2024 at 1:30 PM EEST, Herbert Xu wrote:
> On Mon, Apr 29, 2024 at 01:14:15PM +0300, Jarkko Sakkinen wrote:
> >
> > Yeah, sure, that would be even better, or even memzero_explicit()?
>
> memzero_explicit should only be used for stack memory.

BTW, is this in kernel documentation? It's a guideline really
and would be nice to have reminder, that's all.

BR, Jarkko
Re: [PATCH] crypto: ecc - Protect ecc_digits_from_bytes from reading too many bytes [ In reply to ]
jarkko at kernel
May 3, 2024, 4:51 PM
Post #9 of 9 (2 views)
Permalink
On Sat May 4, 2024 at 2:49 AM EEST, Jarkko Sakkinen wrote:
> On Fri May 3, 2024 at 1:30 PM EEST, Herbert Xu wrote:
> > On Mon, Apr 29, 2024 at 01:14:15PM +0300, Jarkko Sakkinen wrote:
> > >
> > > Yeah, sure, that would be even better, or even memzero_explicit()?
> >
> > memzero_explicit should only be used for stack memory.
>
> BTW, is this in kernel documentation? It's a guideline really
> and would be nice to have reminder, that's all.

Any case makes sense and is pretty obvious now that you said it.

BR, Jarkko

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal