> -----Original Message----- > From: Milan Broz <gmazyland@xxxxxxxxx> > Sent: Wednesday, August 7, 2019 7:24 PM > To: Pascal Van Leeuwen <pvanleeuwen@xxxxxxxxxxxxxx>; Pascal van Leeuwen > <pascalvanl@xxxxxxxxx>; linux-crypto@xxxxxxxxxxxxxxx > Cc: rsnel@xxxxxxxxxxxxxxx; herbert@xxxxxxxxxxxxxxxxxxx; davem@xxxxxxxxxxxxx > Subject: Re: [PATCH] crypto: xts - Add support for Cipher Text Stealing > > On 07/08/2019 17:13, Pascal Van Leeuwen wrote: > >>>> Seems there is no mistake in your code, it is some bug in aesni_intel implementation. > >>>> If I disable this module, it works as expected (with aes generic and aes_i586). > >>>> > >>> That's odd though, considering there is a dedicated xts-aes-ni implementation, > >>> i.e. I would not expect that to end up at the generic xts wrapper at all? > >> > >> Note it is 32bit system, AESNI XTS is under #ifdef CONFIG_X86_64 so it is not used. > >> > > Ok, so I guess no one bothered to make an optimized XTS version for i386. > > I quickly browsed through the code - took me a while to realise the assembly is > > "backwards" compared to the original Intel definition :-) - but I did not spot > > anything obvious :-( > > > >> I guess it only ECB part ... > > Mystery solved, the skcipher subreq must be te last member in the struct. > (Some comments in Adiantum code mentions it too, so I do not think it > just hides the corruption after the struct. Seems like another magic requirement > in crypto API :-) > > This chunk is enough to fix it for me: > > --- a/crypto/xts.c > +++ b/crypto/xts.c > @@ -33,8 +33,8 @@ struct xts_instance_ctx { > > struct rctx { > le128 t, tcur; > - struct skcipher_request subreq; > int rem_bytes, is_encrypt; > + struct skcipher_request subreq; > }; > > While at it, shouldn't be is_encrypt bool? > > Thanks, > Milan While I do understand how that prevents corruption of rem_bytes and is_encrypt, doesn't that just *hide* the issue? The memory beyond the end of the rctx struct is not allocated as far as I can tell, so how can you legally write there? I hope someone can explain this to me. Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com