lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <70710115-6bde-465b-91f2-a005bede1602@ti.com>
Date: Thu, 15 Jan 2026 15:38:50 +0530
From: T Pratham <t-pratham@...com>
To: Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller"
	<davem@...emloft.net>
CC: <linux-crypto@...r.kernel.org>, <linux-kernel@...r.kernel.org>, "Manorit
 Chawdhry" <m-chawdhry@...com>, Shiva Tripathi <s-tripathi1@...com>, "Kamlesh
 Gurudasani" <kamlesh@...com>
Subject: [BUG] crypto: tcrypt - data corruption in ahash tests with
 CRYPTO_AHASH_ALG_BLOCK_ONLY

Hi,

Commit 9d7a0ab1c7536 ("crypto: ahash - Handle partial blocks in API")
introduced partial block handling for ahashes in the crypto API layer
itself.

In ahash with CRYPTO_AHASH_ALG_BLOCK_ONLY flag set, the code replaces
the callback in the request in ahash_save_req:

crypto/ahash.c:
int crypto_ahash_update(struct ahash_request *req)
{
	// stuff happens
	[...]

	ahash_save_req(req, ahash_update_done);

	err = ahash_do_req_chain(req, &crypto_ahash_alg(tfm)->update);
	if (err == -EINPROGRESS || err == -EBUSY)
		return err;

	return ahash_update_finish(req, err);
}

Same in crypto_ahash_finup().

When the update or finup returns -EINPROGRESS or -EBUSY, see that
ahash_update_finish/ahash_finup_finish is not called which calls the
ahash_restore_req to restore the callback and data. This seems
intentional as the code wants to call it's custom callback to cleanup
stuff done for block only algos.

However, in tcrypt, the wait struct is accessed as below:

crypto/tcrypt.c:
static inline int do_one_ahash_op(struct ahash_request *req, int ret)
{
	struct crypto_wait *wait = req->base.data;

	return crypto_wait_req(ret, wait);
}

Hence, when -EINPROGRESS or -EBUSY is returned by ahash, inside tcrypt,
when do_one_ahash_op accesses req->base.data, it gets the modified data
and then goes on to operate with the same, resulting in data corruption
and segfault.

Here are the logs when I test with DTHEv2 SHA512 driver (yet to send
upstream):
https://gist.github.com/Pratham-T/3c017c719d3e8c8a0bc7ea96bf896996

-- 
Regards
T Pratham <t-pratham@...com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ