1 From 12455e320e19e9cc7ad97f4ab89c280fe297387c Mon Sep 17 00:00:00 2001
2 From: Eric Biggers <ebiggers@google.com>
3 Date: Thu, 31 Jan 2019 23:51:42 -0800
4 Subject: crypto: arm64/aes-neonbs - fix returning final keystream block
6 From: Eric Biggers <ebiggers@google.com>
8 commit 12455e320e19e9cc7ad97f4ab89c280fe297387c upstream.
10 The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
11 skcipher tests because it sometimes produces the wrong ciphertext. The
12 bug is that the final keystream block isn't returned from the assembly
13 code when the number of non-final blocks is zero. This can happen if
14 the input data ends a few bytes after a page boundary. In this case the
15 last bytes get "encrypted" by XOR'ing them with uninitialized memory.
17 Fix the assembly code to return the final keystream block when needed.
19 Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
20 Cc: <stable@vger.kernel.org> # v4.11+
21 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
22 Signed-off-by: Eric Biggers <ebiggers@google.com>
23 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27 arch/arm64/crypto/aes-neonbs-core.S | 8 ++++++--
28 1 file changed, 6 insertions(+), 2 deletions(-)
30 --- a/arch/arm64/crypto/aes-neonbs-core.S
31 +++ b/arch/arm64/crypto/aes-neonbs-core.S
32 @@ -971,18 +971,22 @@ CPU_LE( rev x8, x8 )
48 * If we are handling the tail of the input (x6 != NULL), return the
49 * final keystream block back to the caller.