Page MenuHomeFreeBSD

aesni: Avoid a potential out-of-bounds load in AES_GCM_encrypt()
ClosedPublic

Authored by markj on Nov 16 2021, 2:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 18, 7:53 AM
Unknown Object (File)
Dec 4 2024, 8:18 PM
Unknown Object (File)
Nov 19 2024, 11:03 PM
Unknown Object (File)
Nov 14 2024, 12:25 PM
Unknown Object (File)
Nov 14 2024, 12:07 PM
Unknown Object (File)
Nov 4 2024, 4:36 AM
Unknown Object (File)
Nov 4 2024, 4:36 AM
Unknown Object (File)
Nov 4 2024, 4:36 AM
Subscribers

Details

Summary

This is effectively the same problem as the one fixed in 564b6aa7fccd
("aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()")
but I didn't have a reproducer before.

Reported by: Jenkins

Test Plan

The ktls tests trigger this when KASAN is enabled. With this
change they pass. cryptocheck -d aesni0 -z -a aes-gcm{,192,256} also
runs successfully.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 42808
Build 39696: arc lint + arc unit

Event Timeline

markj requested review of this revision.Nov 16 2021, 2:17 PM
cem added inline comments.
sys/crypto/aesni/aesni_ghash.c
510

Can we not use _mm_xor_si128(tmp1, last_block)? Or we assume ^ generates the same instruction?

This revision is now accepted and ready to land.Nov 16 2021, 3:19 PM
markj added inline comments.
sys/crypto/aesni/aesni_ghash.c
510

The aesni code does both but we should stay consistent within this function, I'll switch to the intrinsic.

markj marked an inline comment as done.

Use the xor intrinsic

This revision now requires review to proceed.Nov 16 2021, 3:44 PM
This revision is now accepted and ready to land.Nov 16 2021, 4:20 PM