On Thu, Mar 19, 2020 at 9:48 PM Herbert Xu herbert@gondor.apana.org.au wrote:
On Wed, Mar 18, 2020 at 08:27:32PM -0600, Jason A. Donenfeld wrote:
Prior, passing in chunks of 2, 3, or 4, followed by any additional chunks would result in the chacha state counter getting out of sync, resulting in incorrect encryption/decryption, which is a pretty nasty crypto vuln: "why do images look weird on webpages?" WireGuard users never experienced this prior, because we have always, out of tree, used a different crypto library, until the recent Frankenzinc addition. This commit fixes the issue by advancing the pointers and state counter by the actual size processed. It also fixes up a bug in the (optional, costly) stride test that prevented it from running on arm64.
Fixes: b3aad5bad26a ("crypto: arm64/chacha - expose arm64 ChaCha routine as library function") Reported-and-tested-by: Emil Renner Berthing kernel@esmil.dk Cc: Ard Biesheuvel ardb@kernel.org Cc: stable@vger.kernel.org # v5.5+ Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com
arch/arm64/crypto/chacha-neon-glue.c | 8 ++++---- lib/crypto/chacha20poly1305-selftest.c | 11 ++++++++--- 2 files changed, 12 insertions(+), 7 deletions(-)
Patch applied. Thanks.
Thanks! No idea whether Linus will skip a 5.6-rc7 with people not at work due to the quarantines, so given the gravity of this bug, it might be prudent to send a PR to him _now_, rather then waiting until next week.
Jason