AES256-GCM emits all-zeros ciphertext on aarch64 with hardware acceleration

Bug #1707172 reported by Ard Biesheuvel
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
Fix Released
Critical
Julian Andres Klode
Zesty
Fix Released
Critical
Julian Andres Klode

Bug Description

[Impact]
AES256-GCM ciphertext is all zero on arm64 with hardware acceleration, breaking gnome-terminal and xfce4-terminal which use encrypted scrollback buffers.

[Test case]
Compile the program from https://gitlab.com/gnutls/gnutls/issues/204 and make sure the cipher text is not all zeros when running it on an aarch64 machine w/ HW accel.

[Regression potential]
Code change is limited to AES256-GCM w/ HW accel on aarch64, so that's the only thing that could possibly break. But given that it's broken already, it does not seem to be a big issue even if it breaks otherwise.

[Other info]
Original report:

The following Debian issue exists in the Ubuntu package as well

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867581

It breaks gnome-terminal and xfce4-terminal on arm64 machines.

The issue is fixed upstream in 3.5.13, and the fix was backported to Debian stretch as well (3.5.8-5+deb9u2)

Revision history for this message
Julian Andres Klode (juliank) wrote :

Yeah, I just noticed that as well. I could do an update, need to fix the one from +deb9u3 as well.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Do we have a reproducible test case for an SRU?

Revision history for this message
Ard Biesheuvel (ard-biesheuvel) wrote : Re: [Bug 1707172] Re: AES256-GCM emits all-zeros ciphertext on aarch64 with hardware acceleration

On 1 September 2017 at 14:10, Julian Andres Klode
<email address hidden> wrote:
> Do we have a reproducible test case for an SRU?
>

Doesn't the debian bug report have one?

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1707172
>
> Title:
> AES256-GCM emits all-zeros ciphertext on aarch64 with hardware
> acceleration
>
> Status in gnutls28 package in Ubuntu:
> New
>
> Bug description:
> The following Debian issue exists in the Ubuntu package as well
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867581
>
> It breaks gnome-terminal and xfce4-terminal on arm64 machines.
>
> The issue is fixed upstream in 3.5.13, and the fix was backported to
> Debian stretch as well (3.5.8-5+deb9u2)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1707172/+subscriptions

Revision history for this message
Julian Andres Klode (juliank) wrote :

It says to run "yes" in a terminal, that's somewhat suboptimal to test.

Revision history for this message
Julian Andres Klode (juliank) wrote :
description: updated
Changed in gnutls28 (Ubuntu):
status: New → Triaged
importance: Undecided → High
status: Triaged → In Progress
Changed in gnutls28 (Ubuntu):
assignee: nobody → Julian Andres Klode (juliank)
Revision history for this message
Ard Biesheuvel (ard-biesheuvel) wrote :

On 1 September 2017 at 14:32, Julian Andres Klode
<email address hidden> wrote:
> Ah, https://gitlab.com/gnutls/gnutls/issues/204 has more details.
>
> ** Description changed:
>
> + [Impact]
> + AES256-GCM ciphertext is all zero on arm64 with hardware acceleration, breaking gnome-terminal and xfce4-terminal which use encrypted scrollback buffers.
> +
> + [Test case]
> + Compile the program from https://gitlab.com/gnutls/gnutls/issues/204 and make sure the cipher text is not all zeros
> +

Yeah, this is the one I was referring to.

Changed in gnutls28 (Ubuntu Zesty):
importance: Undecided → High
status: New → Triaged
assignee: nobody → Julian Andres Klode (juliank)
Changed in gnutls28 (Ubuntu):
status: In Progress → Fix Committed
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

@ard Are released older than zesty affected as well? I don't have a machine to test this, I'm just uploading the fix for zesty and artful.

Revision history for this message
Ard Biesheuvel (ard-biesheuvel) wrote :

On 2 September 2017 at 15:49, Julian Andres Klode
<email address hidden> wrote:
> @ard Are released older than zesty affected as well? I don't have a
> machine to test this, I'm just uploading the fix for zesty and artful.
>

No, the issue appeared only after upgrading to Zesty.

Changed in gnutls28 (Ubuntu Zesty):
status: Triaged → Confirmed
status: Confirmed → In Progress
Revision history for this message
Julian Andres Klode (juliank) wrote :

Thanks Ard.

Fixes for both artful and zesty are uploaded now.

Revision history for this message
Ard Biesheuvel (ard-biesheuvel) wrote :

On 2 September 2017 at 16:22, Julian Andres Klode
<email address hidden> wrote:
> Thanks Ard.
>
> Fixes for both artful and zesty are uploaded now.
>

Great! Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.8-6ubuntu3

---------------
gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

Changed in gnutls28 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

Given that this essentially destroys data when encrypting it in-place, I'm increasing importance to critical.

Changed in gnutls28 (Ubuntu):
importance: High → Critical
Changed in gnutls28 (Ubuntu Zesty):
importance: High → Critical
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Ard, or anyone else affected,

Accepted gnutls28 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.5.6-4ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls28 (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Revision history for this message
Ard Biesheuvel (ard-biesheuvel) wrote :

Bug is fixed on zesty with package version 3.5.6-4ubuntu4.3

tags: added: verification-done-zesty
removed: verification-needed-zesty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.6-4ubuntu4.3

---------------
gnutls28 (3.5.6-4ubuntu4.3) zesty; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

Changed in gnutls28 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gnutls28 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.