crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()

Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa
implementation's ->key_size() callback returns an unusually large value.
Herbert instead suggests (for a division by 8):

  X / 8 + !!(X & 7)

Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and
use it in lieu of DIV_ROUND_UP() for ->key_size() return values.

Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"
parameter is a ->key_size() return value in some instances, or a
user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

Link: https://lore.kernel.org/r/Z3iElsILmoSu6FuC@gondor.apana.org.au/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 50ad2d4ed672c527ee95c78dba926ca6c7787257..6cf9a945fc6c28d74c8106da7247ab2f17ddeb39 100644 (file)
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -71,7 +71,7 @@ EXPORT_SYMBOL(ecc_get_curve);
 void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
                           u64 *out, unsigned int ndigits)
 {
-       int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
+       int diff = ndigits - DIV_ROUND_UP_POW2(nbytes, sizeof(u64));
        unsigned int o = nbytes & 7;
        __be64 msd = 0;
 

diff --git a/crypto/ecdsa-p1363.c b/crypto/ecdsa-p1363.c
index eaae7214d69bca60a1743b298e737c8563790182..4454f1f8f33f58fa6f6f17de5f6c78faf895309f 100644 (file)
--- a/crypto/ecdsa-p1363.c
+++ b/crypto/ecdsa-p1363.c
@@ -22,7 +22,7 @@ static int ecdsa_p1363_verify(struct crypto_sig *tfm,
 {
        struct ecdsa_p1363_ctx *ctx = crypto_sig_ctx(tfm);
        unsigned int keylen = crypto_sig_keysize(ctx->child);
-       unsigned int ndigits = DIV_ROUND_UP(keylen, sizeof(u64));
+       unsigned int ndigits = DIV_ROUND_UP_POW2(keylen, sizeof(u64));
        struct ecdsa_raw_sig sig;
 
        if (slen != 2 * keylen)

diff --git a/crypto/ecdsa-x962.c b/crypto/ecdsa-x962.c
index 6a77c13e192b1a1c44f3ed03d52d295b1d2c8e8f..90a04f4b9a2f55b2fb825971961e4dc66ff85554 100644 (file)
--- a/crypto/ecdsa-x962.c
+++ b/crypto/ecdsa-x962.c
@@ -81,8 +81,8 @@ static int ecdsa_x962_verify(struct crypto_sig *tfm,
        struct ecdsa_x962_signature_ctx sig_ctx;
        int err;
 
-       sig_ctx.ndigits = DIV_ROUND_UP(crypto_sig_keysize(ctx->child),
-                                      sizeof(u64));
+       sig_ctx.ndigits = DIV_ROUND_UP_POW2(crypto_sig_keysize(ctx->child),
+                                           sizeof(u64));
 
        err = asn1_ber_decoder(&ecdsasignature_decoder, &sig_ctx, src, slen);
        if (err < 0)

diff --git a/include/linux/math.h b/include/linux/math.h
index f5f18dc3616b01b39e6a7f1237f1c46cab7a0c7f..0198c92cbe3ef56ee1e3a88c3fbf8f2fa5461bf6 100644 (file)
--- a/include/linux/math.h
+++ b/include/linux/math.h
@@ -34,6 +34,18 @@
  */
 #define round_down(x, y) ((x) & ~__round_mask(x, y))
 
+/**
+ * DIV_ROUND_UP_POW2 - divide and round up
+ * @n: numerator
+ * @d: denominator (must be a power of 2)
+ *
+ * Divides @n by @d and rounds up to next multiple of @d (which must be a power
+ * of 2). Avoids integer overflows that may occur with __KERNEL_DIV_ROUND_UP().
+ * Performance is roughly equivalent to __KERNEL_DIV_ROUND_UP().
+ */
+#define DIV_ROUND_UP_POW2(n, d) \
+       ((n) / (d) + !!((n) & ((d) - 1)))
+
 #define DIV_ROUND_UP __KERNEL_DIV_ROUND_UP
 
 #define DIV_ROUND_DOWN_ULL(ll, d) \