sha3: fix SHA-3 on s390x when using KIMD instruction

An illegal instruction would occur due to a bug in the way input
slices were rounded down in size to a multiple of the rate for a
given hash type. This would only occur when the Write function
was called with more than ~3KiB of data and the length of the data
was not a multiple of the rate.

Fixes golang/go#36459.

Change-Id: I621ef8d75602bcd59bb44491e17f721050001e6d
Reviewed-by: Brad Fitzpatrick <>
Run-TryBot: Michael Munday <>
TryBot-Result: Gobot Gobot <>
diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
index c13ec85..259ff4d 100644
--- a/sha3/sha3_s390x.go
+++ b/sha3/sha3_s390x.go
@@ -112,7 +112,7 @@
 		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
 			// Hash the data directly and push any remaining bytes
 			// into the buffer.
-			remainder := len(s.buf) % s.rate
+			remainder := len(b) % s.rate
 			kimd(s.function, &s.a, b[:len(b)-remainder])
 			if remainder != 0 {