On 27.06.2025 01:13, Eric Biggers wrote: > > Sorry, looking at the stack trace again, I realize that's not quite correct: > > [<00026a33d51d0d6e>] s390_sha_update_blocks+0x2ae/0x310 arch/s390/crypto/sha_common.c:26 > [<00026a33d7de95c4>] crypto_shash_finup+0x424/0x720 crypto/shash.c:152 > [<00026a33d7e06022>] crypto_shash_update include/crypto/hash.h:992 [inline] > [<00026a33d7e06022>] hmac_setkey+0x5c2/0x7a0 crypto/hmac.c:73 > [<00026a33d7de8e1c>] crypto_shash_setkey+0x8c/0x1f0 crypto/shash.c:56 > [<00026a33d7dee7c2>] hkdf_extract+0x42/0xa0 crypto/hkdf.c:50 > [<00026a33d5fd5c16>] fscrypt_init_hkdf+0x146/0x280 fs/crypto/hkdf.c:73 > > This issue actually occurred with hmac(sha512-s390), i.e. the hmac template on > top of the algorithm with driver name sha512-s390. So this seems to be a > regression from earlier commits. I think this one: > > commit 88c02b3f79a61e659749773865998e0c33247e86 > Author: Joerg Schmidbauer <jschmidb@xxxxxxxxxx> > Date: Wed Aug 28 13:52:30 2024 +0200 > > s390/sha3: Support sha3 performance enhancements > > That introduced 'first_message_part' but forgot to make sha512_init() set it. Right first_message_part should be set to zero in sha512_init(), also in sha384_init() as well as in s390_sha1_init(). > So s390_sha_update() started using an uninitialized variable. > > The following more recent commit then changed 'first_message_part' to a bool, > which made UBSAN sometimes able to report its uninitialized use: > > commit 7b83638f962c30cb6271b5698dc52cdf9b638b48 > Author: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Date: Fri Apr 18 10:59:34 2025 +0800 > > crypto: s390/sha1 - Use API partial block handling > > Fortunately, this issue no longer exists in SHA-512 in the latest linux-next, > since my SHA-512 library work > (https://lore.kernel.org/linux-crypto/20250616014019.415791-15-ebiggers@xxxxxxxxxx/). > greatly simplified how the s390-optimized SHA-512 code is integrated. > > However, my SHA-512 library work is targeting 6.17. I think you'll need a fix > for 6.16 and Cc'ed to stable that just initializes 'first_message_part' in the > old code... > > - Eric > -- Ingo Franzki eMail: ifranzki@xxxxxxxxxxxxx Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
