Skip to content

Commit 050d263

Browse files
rohanmcluret8m
rohanmclure
authored and
t8m
committed
poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129 The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23200) (cherry picked from commit 8d847a3)
1 parent 1c75ba9 commit 050d263

File tree

1 file changed

+21
-21
lines changed

1 file changed

+21
-21
lines changed

crypto/poly1305/asm/poly1305-ppc.pl

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -744,7 +744,7 @@
744744
my $LOCALS= 6*$SIZE_T;
745745
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
746746
$VSXFRAME += 128; # local variables
747-
$VSXFRAME += 13*16; # v20-v31 offload
747+
$VSXFRAME += 12*16; # v20-v31 offload
748748

749749
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
750750

@@ -919,12 +919,12 @@
919919
addi r11,r11,32
920920
stvx v22,r10,$sp
921921
addi r10,r10,32
922-
stvx v23,r10,$sp
923-
addi r10,r10,32
924-
stvx v24,r11,$sp
922+
stvx v23,r11,$sp
925923
addi r11,r11,32
926-
stvx v25,r10,$sp
924+
stvx v24,r10,$sp
927925
addi r10,r10,32
926+
stvx v25,r11,$sp
927+
addi r11,r11,32
928928
stvx v26,r10,$sp
929929
addi r10,r10,32
930930
stvx v27,r11,$sp
@@ -1153,12 +1153,12 @@
11531153
addi r11,r11,32
11541154
stvx v22,r10,$sp
11551155
addi r10,r10,32
1156-
stvx v23,r10,$sp
1157-
addi r10,r10,32
1158-
stvx v24,r11,$sp
1156+
stvx v23,r11,$sp
11591157
addi r11,r11,32
1160-
stvx v25,r10,$sp
1158+
stvx v24,r10,$sp
11611159
addi r10,r10,32
1160+
stvx v25,r11,$sp
1161+
addi r11,r11,32
11621162
stvx v26,r10,$sp
11631163
addi r10,r10,32
11641164
stvx v27,r11,$sp
@@ -1899,26 +1899,26 @@
18991899
mtspr 256,r12 # restore vrsave
19001900
lvx v20,r10,$sp
19011901
addi r10,r10,32
1902-
lvx v21,r10,$sp
1903-
addi r10,r10,32
1904-
lvx v22,r11,$sp
1902+
lvx v21,r11,$sp
19051903
addi r11,r11,32
1906-
lvx v23,r10,$sp
1904+
lvx v22,r10,$sp
19071905
addi r10,r10,32
1908-
lvx v24,r11,$sp
1906+
lvx v23,r11,$sp
19091907
addi r11,r11,32
1910-
lvx v25,r10,$sp
1908+
lvx v24,r10,$sp
19111909
addi r10,r10,32
1912-
lvx v26,r11,$sp
1910+
lvx v25,r11,$sp
19131911
addi r11,r11,32
1914-
lvx v27,r10,$sp
1912+
lvx v26,r10,$sp
19151913
addi r10,r10,32
1916-
lvx v28,r11,$sp
1914+
lvx v27,r11,$sp
19171915
addi r11,r11,32
1918-
lvx v29,r10,$sp
1916+
lvx v28,r10,$sp
19191917
addi r10,r10,32
1920-
lvx v30,r11,$sp
1921-
lvx v31,r10,$sp
1918+
lvx v29,r11,$sp
1919+
addi r11,r11,32
1920+
lvx v30,r10,$sp
1921+
lvx v31,r11,$sp
19221922
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
19231923
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
19241924
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)

0 commit comments

Comments
 (0)