# git rev-parse -q --verify 678cce4019d746da6c680c48ba9e6d417803e127^{commit} 678cce4019d746da6c680c48ba9e6d417803e127 already have revision, skipping fetch # git checkout -q -f -B kisskb 678cce4019d746da6c680c48ba9e6d417803e127 # git clean -qxdf # < git log -1 # commit 678cce4019d746da6c680c48ba9e6d417803e127 # Author: Eric Biggers # Date: Sun Mar 31 13:04:11 2019 -0700 # # crypto: x86/poly1305 - fix overflow during partial reduction # # The x86_64 implementation of Poly1305 produces the wrong result on some # inputs because poly1305_4block_avx2() incorrectly assumes that when # partially reducing the accumulator, the bits carried from limb 'd4' to # limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic # which processes only one block at a time. However, it's not true for # the AVX2 implementation, which processes 4 blocks at a time and # therefore can produce intermediate limbs about 4x larger. # # Fix it by making the relevant calculations use 64-bit arithmetic rather # than 32-bit. Note that most of the carries already used 64-bit # arithmetic, but the d4 -> h0 carry was different for some reason. # # To be safe I also made the same change to the corresponding SSE2 code, # though that only operates on 1 or 2 blocks at a time. I don't think # it's really needed for poly1305_block_sse2(), but it doesn't hurt # because it's already x86_64 code. It *might* be needed for # poly1305_2block_sse2(), but overflows aren't easy to reproduce there. # # This bug was originally detected by my patches that improve testmgr to # fuzz algorithms against their generic implementation. But also add a # test vector which reproduces it directly (in the AVX2 case). # # Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64") # Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64") # Cc: # v4.3+ # Cc: Martin Willi # Cc: Jason A. Donenfeld # Signed-off-by: Eric Biggers # Reviewed-by: Martin Willi # Signed-off-by: Herbert Xu # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 678cce4019d746da6c680c48ba9e6d417803e127 # < make -s -j 120 ARCH=powerpc O=/kisskb/build/crypto_powernv_defconfig+NO_PERF_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- powernv_defconfig # Added to kconfig CONFIG_PERF_EVENTS=n # yes \n | make -s -j 120 ARCH=powerpc O=/kisskb/build/crypto_powernv_defconfig+NO_PERF_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- oldconfig yes: standard output: Broken pipe # make -s -j 120 ARCH=powerpc O=/kisskb/build/crypto_powernv_defconfig+NO_PERF_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- :1478:2: warning: #warning syscall io_uring_setup not implemented [-Wcpp] :1481:2: warning: #warning syscall io_uring_enter not implemented [-Wcpp] :1484:2: warning: #warning syscall io_uring_register not implemented [-Wcpp] /kisskb/src/net/sunrpc/xprtsock.c: In function 'xs_stream_data_receive': /kisskb/src/net/sunrpc/xprtsock.c:498:15: warning: 'read' may be used uninitialized in this function [-Wmaybe-uninitialized] size_t want, read; ^ /kisskb/src/net/sunrpc/xprtsock.c:529:9: warning: 'ret' may be used uninitialized in this function [-Wmaybe-uninitialized] return ret < 0 ? ret : read; ^ /kisskb/src/net/sunrpc/xprtsock.c:499:10: note: 'ret' was declared here ssize_t ret; ^ WARNING: modpost: Found 2 section mismatch(es). To see full details build your kernel with: 'make CONFIG_DEBUG_SECTION_MISMATCH=y' Completed OK # rm -rf /kisskb/build/crypto_powernv_defconfig+NO_PERF_ppc64le-gcc5 # Build took: 0:01:35.263313