On Tue Dec 9, 2025 at 11:34 PM CET, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
I was hoping to not have to do a 'git bisect', but this is much better :-D I can confirm that this patch fixes the error I was seeing, so
Tested-by: Diederik de Haas diederik@cknow-tech.com
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
https://www.qemu.org/docs/master/system/arm/raspi.html indicates it can emulate various Raspberry Pi models. I've only tested it with RPi 3B+ (bc of its wifi+bt chip), but I wouldn't be surprised if all RPi models would have this problem? Dunno if QEMU emulates that though.
Thanks for the quick fix!
Cheers, Diederik
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable@vger.kernel.org Reported-by: Diederik de Haas diederik@cknow-tech.com Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.co... Signed-off-by: Eric Biggers ebiggers@kernel.org
If it's okay, I'd like to just take this via libcrypto-fixes.
arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c index 7951557a285a..ef249d06c92c 100644 --- a/arch/arm64/crypto/ghash-ce-glue.c +++ b/arch/arm64/crypto/ghash-ce-glue.c @@ -131,11 +131,11 @@ static int ghash_finup(struct shash_desc *desc, const u8 *src, if (len) { u8 buf[GHASH_BLOCK_SIZE] = {}; memcpy(buf, src, len);
ghash_do_simd_update(1, ctx->digest, src, key, NULL,
ghash_do_simd_update(1, ctx->digest, buf, key, NULL, pmull_ghash_update_p8);}
base-commit: 7a3984bbd69055898add0fe22445f99435f33450