Re: git: cfb7b942bed7 - main - cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers.
- Reply: Guido Falsi : "Re: git: cfb7b942bed7 - main - cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers."
- Reply: Guido Falsi : "Re: git: cfb7b942bed7 - main - cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers."
- In reply to: Guido Falsi : "Re: git: cfb7b942bed7 - main - cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 15 Jan 2022 00:26:44 UTC
On Fri, Jan 14, 2022 at 10:27:12PM +0100, Guido Falsi wrote: > On 11/01/22 23:38, John Baldwin wrote: > > The branch main has been updated by jhb: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=cfb7b942bed72cb798b869d2e36e0097dbd243b2 > > > > commit cfb7b942bed72cb798b869d2e36e0097dbd243b2 > > Author: John Baldwin <jhb@FreeBSD.org> > > AuthorDate: 2022-01-11 22:18:57 +0000 > > Commit: John Baldwin <jhb@FreeBSD.org> > > CommitDate: 2022-01-11 22:18:57 +0000 > > > > cryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers. > > > > Reviewed by: markj > > Sponsored by: The FreeBSD Foundation > > Differential Revision: https://reviews.freebsd.org/D33531 > > Hi, > > I've just updated to recent head. I have a laptop using ZFS on geli > setup and now it's unable to boot. > > I've seen the failure starting with git revision > 3284f4925f697ad7cc2aa4761ff5cf6ce98fd623 (LRO: Don't merge ACK and > non-ACK packets together - 01/13/22, 17:18) > > it's still there with revision fe453891d7ccc8e173d9293b67f5b4608c5378dd > (01/14/22 11:00:08) > > While a kernel from the binary snapshot downloaded from mirrors compiled > from revision ac413189f53524e489c900b3cfaa80a1552875ca (vfslist.c: > initialize skipvfs variable 01/05/2022) is able to boot correctly. > > The machine panics as soon as it tries to work with geli, this is why I > am replying to this commit message. I'm not completely sure this is the > commit to blame, but it sure is related. > > I have not been able to save the backtrace to file, but the last two > calls are to: > > crypto_cursor_segment() > swcr_encdec() > > so it points to the last part of this patch. I think the problem is that crypto_cursor_segment() doesn't expect to be called once the cursor is at the end of a buffer. It may or may not perform an invalid memory access in that case, depending on the underlying buffer type. Fixing it would complicate the cursor code, maybe it's better to just change cryptosoft to avoid this scenario: diff --git a/sys/opencrypto/cryptosoft.c b/sys/opencrypto/cryptosoft.c index 4d0f7d8718cc..45aa3f41c4b2 100644 --- a/sys/opencrypto/cryptosoft.c +++ b/sys/opencrypto/cryptosoft.c @@ -146,13 +146,11 @@ swcr_encdec(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_init(&cc_in, &crp->crp_buf); crypto_cursor_advance(&cc_in, crp->crp_payload_start); - inblk = crypto_cursor_segment(&cc_in, &inlen); if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) { crypto_cursor_init(&cc_out, &crp->crp_obuf); crypto_cursor_advance(&cc_out, crp->crp_payload_output_start); } else cc_out = cc_in; - outblk = crypto_cursor_segment(&cc_out, &outlen); encrypting = CRYPTO_OP_IS_ENCRYPT(crp->crp_op); @@ -162,7 +160,13 @@ swcr_encdec(const struct swcr_session *ses, struct cryptop *crp) * 'outlen' is the remaining length of current segment in the * output buffer. */ + inlen = outlen = 0; for (resid = crp->crp_payload_length; resid >= blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, &outlen); + /* * If the current block is not contained within the * current input/output segment, use 'blk' as a local @@ -191,8 +195,6 @@ swcr_encdec(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, &inlen); } if (outblk == blk) { @@ -202,9 +204,6 @@ swcr_encdec(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } @@ -476,15 +475,19 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) /* Do encryption with MAC */ crypto_cursor_init(&cc_in, &crp->crp_buf); crypto_cursor_advance(&cc_in, crp->crp_payload_start); - inblk = crypto_cursor_segment(&cc_in, &inlen); if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) { crypto_cursor_init(&cc_out, &crp->crp_obuf); crypto_cursor_advance(&cc_out, crp->crp_payload_output_start); } else cc_out = cc_in; - outblk = crypto_cursor_segment(&cc_out, &outlen); + inlen = outlen = 0; for (resid = crp->crp_payload_length; resid >= blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, &outlen); + if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -510,9 +513,6 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } else { todo = rounddown2(MIN(resid, inlen), blksz); @@ -525,8 +525,6 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, &inlen); } } if (resid > 0) { @@ -563,10 +561,14 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) /* tag matches, decrypt data */ crypto_cursor_init(&cc_in, &crp->crp_buf); crypto_cursor_advance(&cc_in, crp->crp_payload_start); - inblk = crypto_cursor_segment(&cc_in, &inlen); + inlen = 0; for (resid = crp->crp_payload_length; resid > blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, &outlen); if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -588,9 +590,6 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, - &inlen); } if (outblk == blk) { @@ -601,9 +600,6 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } if (resid > 0) { @@ -809,15 +805,19 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) /* Do encryption/decryption with MAC */ crypto_cursor_init(&cc_in, &crp->crp_buf); crypto_cursor_advance(&cc_in, crp->crp_payload_start); - inblk = crypto_cursor_segment(&cc_in, &inlen); if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) { crypto_cursor_init(&cc_out, &crp->crp_obuf); crypto_cursor_advance(&cc_out, crp->crp_payload_output_start); } else cc_out = cc_in; - outblk = crypto_cursor_segment(&cc_out, &outlen); + inlen = outlen = 0; for (resid = crp->crp_payload_length; resid >= blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, &outlen); + if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -843,9 +843,6 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } else { /* @@ -867,8 +864,6 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, &inlen); } } if (resid > 0) { @@ -901,10 +896,16 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) exf->reinit(ctx, crp->crp_iv, ivlen); crypto_cursor_init(&cc_in, &crp->crp_buf); crypto_cursor_advance(&cc_in, crp->crp_payload_start); - inblk = crypto_cursor_segment(&cc_in, &inlen); + inlen = 0; for (resid = crp->crp_payload_length; resid >= blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, + &outlen); + if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -926,9 +927,6 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, - &inlen); } if (outblk == blk) { @@ -939,9 +937,6 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } if (resid > 0) { @@ -1028,6 +1023,12 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { for (resid = crp->crp_payload_length; resid >= blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, + &outlen); + if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -1051,9 +1052,6 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, - &inlen); } if (outblk == blk) { @@ -1063,9 +1061,6 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } if (resid > 0) { @@ -1111,6 +1106,11 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) for (resid = crp->crp_payload_length; resid > blksz; resid -= todo) { + if (inlen == 0) + inblk = crypto_cursor_segment(&cc_in, &inlen); + if (outlen == 0) + outblk = crypto_cursor_segment(&cc_out, + &outlen); if (inlen < blksz) { crypto_cursor_copydata(&cc_in, blksz, blk); inblk = blk; @@ -1132,9 +1132,6 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_in, todo); inlen -= todo; inblk += todo; - if (inlen == 0) - inblk = crypto_cursor_segment(&cc_in, - &inlen); } if (outblk == blk) { @@ -1145,9 +1142,6 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_advance(&cc_out, todo); outlen -= todo; outblk += todo; - if (outlen == 0) - outblk = crypto_cursor_segment(&cc_out, - &outlen); } } if (resid > 0) {