pq-crystals/kyber

Round 3 Kyber1024 AVX2 implementation of poly_decompress reads out of bounds

jschanck opened this issue · 0 comments

jschanck commented

The _mm_loadu_si128 at line 204 of poly.c

kyber/avx2/poly.c

Lines 203 to 204 in b5857a3

for(i=0;i<KYBER_N/16;i++) {
f = _mm256_broadcastsi128_si256(_mm_loadu_si128((__m128i *)&a[10*i]));

reads 16 bytes from a[150]. This will include 6 out-of-bounds bytes when unpack_ciphertext is called here in indcpa_dec

kyber/avx2/indcpa.c

Lines 681 to 688 in b5857a3

void indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES],
const uint8_t c[KYBER_INDCPA_BYTES],
const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
{
polyvec bp, skpv;
poly v, mp;
unpack_ciphertext(&bp, &v, c);

Quick and dirty fix here: https://github.com/jschanck/package-pqclean/blob/88ee652a0dcc7c23da4f65b477905a193fc30e7a/kyber/patches/avx2_indcpa.c#L12-L25