[PATCH] crypto : ecc - Fix carry overflow in vli multiplication

Next message: David Hildenbrand (Arm): "Re: [PATCH v3] dma-contiguous: setup default numa cma area if not configured explicitly"
Previous message: Daniel Golle: "Re: [PATCH 2/2] drm/mediatek: hdmi: report jack plugged state from bridge enable/disable"
Next in thread: Stefan Berger: "Re: [PATCH] crypto : ecc - Fix carry overflow in vli multiplication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Anastasia Tishchenko

Date: Fri May 08 2026 - 07:49:44 EST

The carry flag calculation fails when r01.m_high is saturated
(0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows.

The condition (r01.m_high < product.m_high) doesn't handle the case
where r01.m_high == product.m_high and an additional carry exists
from lower-bit overflow.

Add proper handling for this boundary by accounting for the carry
from the lower addition.

This issue was discovered during formal verification of ECC functions.

Signed-off-by: Anastasia Tishchenko <sv3iry@xxxxxxxxx>
---
crypto/ecc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 43b0def3a225..dfe96471407c 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -427,7 +427,10 @@ static void vli_mult(u64 *result, const u64 *left, const u64 *right,
product = mul_64_64(left[i], right[k - i]);

r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ if (r01.m_high != product.m_high)
+ r2 += (r01.m_high < product.m_high);
+ else
+ r2 += (r01.m_low < product.m_low);
}

result[k] = r01.m_low;
@@ -488,7 +491,10 @@ static void vli_square(u64 *result, const u64 *left, unsigned int ndigits)
}

r01 = add_128_128(r01, product);
- r2 += (r01.m_high < product.m_high);
+ if (r01.m_high != product.m_high)
+ r2 += (r01.m_high < product.m_high);
+ else
+ r2 += (r01.m_low < product.m_low);
}

result[k] = r01.m_low;
--
2.43.0