Page MenuHomeFreeBSD

aesni: Avoid a potential out-of-bounds load in AES_GCM_encrypt()
ClosedPublic

Authored by markj on Nov 16 2021, 2:17 PM.

Details

Summary

This is effectively the same problem as the one fixed in 564b6aa7fccd
("aesni: Avoid a potential out-of-bounds load in aes_encrypt_icm()")
but I didn't have a reproducer before.

Reported by: Jenkins

Test Plan

The ktls tests trigger this when KASAN is enabled. With this
change they pass. cryptocheck -d aesni0 -z -a aes-gcm{,192,256} also
runs successfully.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 42808
Build 39696: arc lint + arc unit

Event Timeline

markj requested review of this revision.Nov 16 2021, 2:17 PM
cem added inline comments.
sys/crypto/aesni/aesni_ghash.c
510

Can we not use _mm_xor_si128(tmp1, last_block)? Or we assume ^ generates the same instruction?

This revision is now accepted and ready to land.Nov 16 2021, 3:19 PM
markj added inline comments.
sys/crypto/aesni/aesni_ghash.c
510

The aesni code does both but we should stay consistent within this function, I'll switch to the intrinsic.

markj marked an inline comment as done.

Use the xor intrinsic

This revision now requires review to proceed.Nov 16 2021, 3:44 PM
This revision is now accepted and ready to land.Nov 16 2021, 4:20 PM