| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c5491afc-2a7e-cb36-2a24-6dfa6b08b31a@linuxfoundation.org>
Date: Thu, 29 Jul 2021 15:33:10 -0600
From: Shuah Khan <skhan@...uxfoundation.org>
To: Jarkko Sakkinen <jarkko@...nel.org>
Cc: Shuah Khan <shuah@...nel.org>, linux-kselftest@...r.kernel.org,
linux-sgx@...r.kernel.org,
Reinette Chatre <reinette.chatre@...el.com>,
Borislav Petkov <bp@...en8.de>,
Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
linux-kernel@...r.kernel.org,
Shuah Khan <skhan@...uxfoundation.org>
Subject: Re: [PATCH v2] selftests/sgx: Fix Q1 and Q2 calculation in
sigstruct.c
On 7/26/21 9:12 PM, Jarkko Sakkinen wrote:
> On Fri, Jul 23, 2021 at 01:53:06PM -0600, Shuah Khan wrote:
>> On 7/4/21 11:09 PM, Jarkko Sakkinen wrote:
>>> From: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
>>>
>>> Q1 and Q2 are numbers with *maximum* length of 384 bytes. If the calculated
>>> length of Q1 and Q2 is less than 384 bytes, things will go wrong.
>>>
>>> E.g. if Q2 is 383 bytes, then
>>>
>>> 1. The bytes of q2 are copied to sigstruct->q2 in calc_q1q2().
>>> 2. The entire sigstruct->q2 is reversed, which results it being
>>> 256 * Q2, given that the last byte of sigstruct->q2 is added
>>> to before the bytes given by calc_q1q2().
>>>
>>> Either change in key or measurement can trigger the bug. E.g. an unmeasured
>>> heap could cause a devastating change in Q1 or Q2.
>>>
>>> Reverse exactly the bytes of Q1 and Q2 in calc_q1q2() before returning to
>>> the caller.
>>>
>>> Fixes: dedde2634570 ("selftests/sgx: Trigger the reclaimer in the selftests")
>>> Link: https://lore.kernel.org/linux-sgx/20210301051836.30738-1-tianjia.zhang@linux.alibaba.com/
>>> Signed-off-by: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
>>> Signed-off-by: Jarkko Sakkinen <jarkko@...nel.org>
>>> ---
>>> The original patch did a bad job explaining the code change but it
>>> turned out making sense. I wrote a new description.
>>>
>>> v2:
>>> - Added a fixes tag.
>>> tools/testing/selftests/sgx/sigstruct.c | 41 +++++++++++++------------
>>> 1 file changed, 21 insertions(+), 20 deletions(-)
>>>
>>> diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
>>> index dee7a3d6c5a5..92bbc5a15c39 100644
>>> --- a/tools/testing/selftests/sgx/sigstruct.c
>>> +++ b/tools/testing/selftests/sgx/sigstruct.c
>>> @@ -55,10 +55,27 @@ static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
>>> return true;
>>> }
>>> +static void reverse_bytes(void *data, int length)
>>> +{
>>> + int i = 0;
>>> + int j = length - 1;
>>> + uint8_t temp;
>>> + uint8_t *ptr = data;
>>> +
>>> + while (i < j) {
>>> + temp = ptr[i];
>>> + ptr[i] = ptr[j];
>>> + ptr[j] = temp;
>>> + i++;
>>> + j--;
>>> + }
>>> +}
>>
>> I was just about apply this one and noticed this reverse_bytes().
>> Aren't there byteswap functions you could call instead of writing
>> your own?
>
> Sorry for latency, just came from two week leave.
>
> glibc does provide bswap for 16, 32, 64 bit numbers but nothing better.
>
> I have no idea if libssl has such function. Since the test code already
> uses this function, and it works, and it's not a newly added function in
> this patch, I would consider keeping it.
>
I will queue this up since it is fixing an important problem.
Let's look into if this can be replaced with a lib call when
you do cleanups perhaps for the next release.
thanks,
-- Shuah
Powered by blists - more mailing lists