Re: [PATCH v2] crypto: ecc - Fix carry overflow in vli multiplication

Next message: Bartosz Golaszewski: "Re: [PATCH 0/2] gpio: shared: fix locking issues in remove path"
Previous message: Wolfram Sang: "Re: [PATCH 9/9] arm64: dts: renesas: rzg3s-smarc-som: Enable I3C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Herbert Xu

Date: Fri May 22 2026 - 08:40:38 EST

On Wed, May 13, 2026 at 01:57:40PM +0300, Anastasia Tishchenko wrote:
> The carry flag calculation fails when r01.m_high is saturated
> (0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows.
>
> The condition (r01.m_high < product.m_high) doesn't handle the case
> where r01.m_high == product.m_high and an additional carry exists
> from lower-bit overflow.
>
> When commit 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
> introduced crypto/ecc.c, it split the muladd() function in the
> micro-ecc library into separate mul_64_64() and add_128_128() helpers.
> It seems the check got lost in translation.
>
> Add proper handling for this boundary by accounting for the carry
> from the lower addition.
>
> Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
> Signed-off-by: Anastasia Tishchenko <sv3iry@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # v4.8+
> ---
> Changes v1 -> v2:
> * Rename add_128_128() to check_add_128_128_overflow() and let it return a bool
> indicating whether an overflow occurred
> * Rewrite an explicit if-else statement using constant-time bitwise arithmetic
> to avoid a timing side-channel
>
> Link to v1:
> https://lore.kernel.org/r/20260508114844.29694-1-sv3iry@xxxxxxxxx/
> ---
> crypto/ecc.c | 31 ++++++++++++++++++++-----------
> 1 file changed, 20 insertions(+), 11 deletions(-)

Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt