lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dad58d52-7784-ab98-3634-15c86e52712d@nxp.com>
Date:   Wed, 28 Oct 2020 11:43:42 +0200
From:   Horia Geantă <horia.geanta@....com>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        Russell King <linux@...linux.org.uk>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        dl-linux-imx <linux-imx@....com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: arm/aes-neonbs - fix usage of cbc(aes) fallback

On 10/28/2020 11:07 AM, Ard Biesheuvel wrote:
> On Wed, 28 Oct 2020 at 10:03, Horia Geantă <horia.geanta@....com> wrote:
>>
>> Loading the module deadlocks since:
>> -local cbc(aes) implementation needs a fallback and
>> -crypto API tries to find one but the request_module() resolves back to
>> the same module
>>
>> Fix this by changing the module alias for cbc(aes) and
>> using the NEED_FALLBACK flag when requesting for a fallback algorithm.
>>
>> Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc encryption path")
>> Signed-off-by: Horia Geantă <horia.geanta@....com>
> 
> Not sure what is happening here: IIRC the intention was to rely on the
> fact that only the sync cbc(aes) implementation needs the fallback,
> and therefore, allocating a sync skcipher explicitly would avoid this
> recursion.
> 
My understanding is the following:

1. Local cbc_init() tries to allocate a fallback tfm for cbc(aes)

2. crypto API cbc(aes) tries to find a cbc(aes) algorithm implementation
crypto_alloc_skcipher ->
	crypto_alloc_tfm ->
		crypto_alloc_tfm_node ->
			crypto_find_alg ->
				crypto_alg_mod_lookup ->
					crypto_larval_lookup

Here crypto_alg_lookup() fails to find a cbc(aes) implementation.

3. Next step is to try to dynamically load a module (request_module)
that supports this implementation. And here it deadlocks, since it tries
to load aes-arm-bs module...

The fix is providing a way to (partially) skip the dynamic module loading
in crypto_alg_lookup() and allow for the last method of finding an algorithm
implementation, which is creating the cbc(aes) on the fly
via the cbc template - see:
	ok = crypto_probing_notify(CRYPTO_MSG_ALG_REQUEST, larval);
in crypto_alg_mod_lookup().

Horia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ