On 03.07.2025 19:20, Eric Biggers wrote:
> On Fri, Jun 27, 2025 at 11:56:49AM -0700, Eric Biggers wrote:
>> Commit 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements")
>> added the field s390_sha_ctx::first_message_part and made it be used by
>> s390_sha_update_blocks(). At the time, s390_sha_update_blocks() was
>> used by all the s390 SHA-1, SHA-2, and SHA-3 algorithms. However, only
>> the initialization functions for SHA-3 were updated, leaving SHA-1 and
>> SHA-2 using first_message_part uninitialized.
>>
>> This could cause e.g. CPACF_KIMD_SHA_512 | CPACF_KIMD_NIP to be used
>> instead of just CPACF_KIMD_NIP. It's unclear why this didn't cause a
>> problem earlier; this bug was found only when UBSAN detected the
>> uninitialized boolean. Perhaps the CPU ignores CPACF_KIMD_NIP for SHA-1
>> and SHA-2. Regardless, let's fix this. For now just initialize to
>> false, i.e. don't try to "optimize" the SHA state initialization.
>>
>> Note: in 6.16, we need to patch SHA-1, SHA-384, and SHA-512. In 6.15
>> and earlier, we'll also need to patch SHA-224 and SHA-256, as they
>> hadn't yet been librarified (which incidentally fixed this bug).
>>
>> Fixes: 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Reported-by: Ingo Franzki <ifranzki@xxxxxxxxxxxxx>
>> Closes: https://lore.kernel.org/r/12740696-595c-4604-873e-aefe8b405fbf@xxxxxxxxxxxxx
>> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
>> ---
>>
>> This is targeting 6.16. I'd prefer to take this through
>> libcrypto-fixes, since the librarification work is also touching this
>> area. But let me know if there's a preference for the crypto tree or
>> the s390 tree instead.
>>
>> arch/s390/crypto/sha1_s390.c | 1 +
>> arch/s390/crypto/sha512_s390.c | 2 ++
>> 2 files changed, 3 insertions(+)
>
> I just realized this patch is incomplete: it updated s390_sha1_init(),
> sha384_init(), and sha512_init(), but not s390_sha1_import() and sha512_import()
> which need the same fix... I'll send a v2.
Good finding. Yes the import functions also need the fix.
Your updates in "[PATCH v2] crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2" look good.
>
> - Eric
--
Ingo Franzki
eMail: ifranzki@xxxxxxxxxxxxx
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
