Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable@vger.kernel.org Reported-by: Diederik de Haas diederik@cknow-tech.com Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.co... Signed-off-by: Eric Biggers ebiggers@kernel.org ---
If it's okay, I'd like to just take this via libcrypto-fixes.
arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c index 7951557a285a..ef249d06c92c 100644 --- a/arch/arm64/crypto/ghash-ce-glue.c +++ b/arch/arm64/crypto/ghash-ce-glue.c @@ -131,11 +131,11 @@ static int ghash_finup(struct shash_desc *desc, const u8 *src,
if (len) { u8 buf[GHASH_BLOCK_SIZE] = {};
memcpy(buf, src, len); - ghash_do_simd_update(1, ctx->digest, src, key, NULL, + ghash_do_simd_update(1, ctx->digest, buf, key, NULL, pmull_ghash_update_p8); memzero_explicit(buf, sizeof(buf)); } return ghash_export(desc, dst); }
base-commit: 7a3984bbd69055898add0fe22445f99435f33450
On Tue, Dec 09, 2025 at 02:34:17PM -0800, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable@vger.kernel.org Reported-by: Diederik de Haas diederik@cknow-tech.com Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.co... Signed-off-by: Eric Biggers ebiggers@kernel.org
If it's okay, I'd like to just take this via libcrypto-fixes.
arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks for catching this!
Acked-by: Herbert Xu herbert@gondor.apana.org.au
On Tue, Dec 09, 2025 at 02:34:17PM -0800, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable@vger.kernel.org Reported-by: Diederik de Haas diederik@cknow-tech.com Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.co... Signed-off-by: Eric Biggers ebiggers@kernel.org
If it's okay, I'd like to just take this via libcrypto-fixes.
arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=li...
(As always, additional reviews/acks still appreciated!)
- Eric
On Tue Dec 9, 2025 at 11:34 PM CET, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
I was hoping to not have to do a 'git bisect', but this is much better :-D I can confirm that this patch fixes the error I was seeing, so
Tested-by: Diederik de Haas diederik@cknow-tech.com
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
https://www.qemu.org/docs/master/system/arm/raspi.html indicates it can emulate various Raspberry Pi models. I've only tested it with RPi 3B+ (bc of its wifi+bt chip), but I wouldn't be surprised if all RPi models would have this problem? Dunno if QEMU emulates that though.
Thanks for the quick fix!
Cheers, Diederik
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") Cc: stable@vger.kernel.org Reported-by: Diederik de Haas diederik@cknow-tech.com Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.co... Signed-off-by: Eric Biggers ebiggers@kernel.org
If it's okay, I'd like to just take this via libcrypto-fixes.
arch/arm64/crypto/ghash-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c index 7951557a285a..ef249d06c92c 100644 --- a/arch/arm64/crypto/ghash-ce-glue.c +++ b/arch/arm64/crypto/ghash-ce-glue.c @@ -131,11 +131,11 @@ static int ghash_finup(struct shash_desc *desc, const u8 *src, if (len) { u8 buf[GHASH_BLOCK_SIZE] = {}; memcpy(buf, src, len);
ghash_do_simd_update(1, ctx->digest, src, key, NULL,
ghash_do_simd_update(1, ctx->digest, buf, key, NULL, pmull_ghash_update_p8);}
base-commit: 7a3984bbd69055898add0fe22445f99435f33450
On Wed, 10 Dec 2025 at 18:22, Diederik de Haas diederik@cknow-tech.com wrote:
On Tue Dec 9, 2025 at 11:34 PM CET, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
I was hoping to not have to do a 'git bisect', but this is much better :-D I can confirm that this patch fixes the error I was seeing, so
Tested-by: Diederik de Haas diederik@cknow-tech.com
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
https://www.qemu.org/docs/master/system/arm/raspi.html indicates it can emulate various Raspberry Pi models. I've only tested it with RPi 3B+ (bc of its wifi+bt chip), but I wouldn't be surprised if all RPi models would have this problem? Dunno if QEMU emulates that though.
All 64-bit RPi models except the RPi5 are affected by this, as those do not implement the crypto extensions. So I would expect QEMU to do the same.
It would be nice, though, if we could emulate this on the mach-virt machine model too. It should be fairly trivial to do, so if there is demand for this I can look into it.
linux-stable-mirror@lists.linaro.org
-
Ard Biesheuvel -
Diederik de Haas -
Eric Biggers -
Herbert Xu