diff options
| author | jsing <> | 2024-01-24 13:39:44 +0000 |
|---|---|---|
| committer | jsing <> | 2024-01-24 13:39:44 +0000 |
| commit | 304c4bea814902359fc956dde611b1bf4fe6c276 (patch) | |
| tree | 679613d6a2cc3fc254ac55394a8acdda58969623 | |
| parent | 89f19af6362020b7e29fb996f27bc58c7d872ef3 (diff) | |
| download | openbsd-304c4bea814902359fc956dde611b1bf4fe6c276.tar.gz openbsd-304c4bea814902359fc956dde611b1bf4fe6c276.tar.bz2 openbsd-304c4bea814902359fc956dde611b1bf4fe6c276.zip | |
Avoid a four byte overread in gcm_ghash_4bit() on amd64.
The assembly code for gcm_ghash_4bit() reads one too many times from Xi,
resulting in a four byte overread. Prevent this by not loading the next
value in the final iteration of the loop. If another full iteration is
required the next Xi value will be loaded at the top of the outer_loop.
Many thanks to Douglas Gliner <Douglas.Gliner at sony dot com> for finding
and reporting this issue, along with a detailed reproducer.
Same diff from deraadt@
ok tb@
| -rw-r--r-- | src/lib/libcrypto/modes/asm/ghash-x86_64.pl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl index 9ce0c38141..4fded507c8 100644 --- a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl +++ b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl | |||
| @@ -285,7 +285,7 @@ $code.=".align 16\n.Louter_loop:\n"; | |||
| 285 | &shr ($Zlo,8); | 285 | &shr ($Zlo,8); |
| 286 | 286 | ||
| 287 | &movz ($rem[0],&LB($rem[0])); | 287 | &movz ($rem[0],&LB($rem[0])); |
| 288 | &mov ($dat,"$j($Xi)") if (--$j%4==0); | 288 | &mov ($dat,"$j($Xi)") if (--$j%4==0 && $j>=0); |
| 289 | &shr ($Zhi,8); | 289 | &shr ($Zhi,8); |
| 290 | 290 | ||
| 291 | &xor ($Zlo,"-128($Hshr4,$nhi[0],8)"); | 291 | &xor ($Zlo,"-128($Hshr4,$nhi[0],8)"); |