On Thu, Jul 29, 2021 at 03:33:10PM -0600, Shuah Khan wrote:
> On 7/26/21 9:12 PM, Jarkko Sakkinen wrote:
> > On Fri, Jul 23, 2021 at 01:53:06PM -0600, Shuah Khan wrote:
> > > On 7/4/21 11:09 PM, Jarkko Sakkinen wrote:
> > > > From: Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx>
> > > >
> > > > Q1 and Q2 are numbers with *maximum* length of 384 bytes. If the calculated
> > > > length of Q1 and Q2 is less than 384 bytes, things will go wrong.
> > > >
> > > > E.g. if Q2 is 383 bytes, then
> > > >
> > > > 1. The bytes of q2 are copied to sigstruct->q2 in calc_q1q2().
> > > > 2. The entire sigstruct->q2 is reversed, which results it being
> > > > 256 * Q2, given that the last byte of sigstruct->q2 is added
> > > > to before the bytes given by calc_q1q2().
> > > >
> > > > Either change in key or measurement can trigger the bug. E.g. an unmeasured
> > > > heap could cause a devastating change in Q1 or Q2.
> > > >
> > > > Reverse exactly the bytes of Q1 and Q2 in calc_q1q2() before returning to
> > > > the caller.
> > > >
> > > > Fixes: dedde2634570 ("selftests/sgx: Trigger the reclaimer in the selftests")
> > > > Link: https://lore.kernel.org/linux-sgx/20210301051836.30738-1-tianjia.zhang@xxxxxxxxxxxxxxxxx/
> > > > Signed-off-by: Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx>
> > > > Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> > > > ---
> > > > The original patch did a bad job explaining the code change but it
> > > > turned out making sense. I wrote a new description.
> > > >
> > > > v2:
> > > > - Added a fixes tag.
> > > > tools/testing/selftests/sgx/sigstruct.c | 41 +++++++++++++------------
> > > > 1 file changed, 21 insertions(+), 20 deletions(-)
> > > >
> > > > diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
> > > > index dee7a3d6c5a5..92bbc5a15c39 100644
> > > > --- a/tools/testing/selftests/sgx/sigstruct.c
> > > > +++ b/tools/testing/selftests/sgx/sigstruct.c
> > > > @@ -55,10 +55,27 @@ static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
> > > > return true;
> > > > }
> > > > +static void reverse_bytes(void *data, int length)
> > > > +{
> > > > + int i = 0;
> > > > + int j = length - 1;
> > > > + uint8_t temp;
> > > > + uint8_t *ptr = data;
> > > > +
> > > > + while (i < j) {
> > > > + temp = ptr[i];
> > > > + ptr[i] = ptr[j];
> > > > + ptr[j] = temp;
> > > > + i++;
> > > > + j--;
> > > > + }
> > > > +}
> > >
> > > I was just about apply this one and noticed this reverse_bytes().
> > > Aren't there byteswap functions you could call instead of writing
> > > your own?
> >
> > Sorry for latency, just came from two week leave.
> >
> > glibc does provide bswap for 16, 32, 64 bit numbers but nothing better.
> > I have no idea if libssl has such function. Since the test code already
> > uses this function, and it works, and it's not a newly added function in
> > this patch, I would consider keeping it.
>
> I will queue this up since it is fixing an important problem.
> Let's look into if this can be replaced with a lib call when
> you do cleanups perhaps for the next release.
Thank you.
/Jarkko
