Skip to content

Commit a59b90b

Browse files
Andy Polyakovmattcaswell
Andy Polyakov
authored andcommitted
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
CVE-2017-3732 Reviewed-by: Rich Salz <rsalz@openssl.org>
1 parent 20b69f6 commit a59b90b

File tree

1 file changed

+7
-9
lines changed

1 file changed

+7
-9
lines changed

Diff for: crypto/bn/asm/x86_64-mont5.pl

+7-9
Original file line numberDiff line numberDiff line change
@@ -1934,17 +1934,16 @@
19341934
19351935
.align 32
19361936
.L8x_tail_done:
1937+
xor %rax,%rax
19371938
add (%rdx),%r8 # can this overflow?
19381939
adc \$0,%r9
19391940
adc \$0,%r10
19401941
adc \$0,%r11
19411942
adc \$0,%r12
19421943
adc \$0,%r13
19431944
adc \$0,%r14
1944-
adc \$0,%r15 # can't overflow, because we
1945-
# started with "overhung" part
1946-
# of multiplication
1947-
xor %rax,%rax
1945+
adc \$0,%r15
1946+
adc \$0,%rax
19481947
19491948
neg $carry
19501949
.L8x_no_tail:
@@ -3384,17 +3383,16 @@
33843383
33853384
.align 32
33863385
.Lsqrx8x_tail_done:
3386+
xor %rax,%rax
33873387
add 24+8(%rsp),%r8 # can this overflow?
33883388
adc \$0,%r9
33893389
adc \$0,%r10
33903390
adc \$0,%r11
33913391
adc \$0,%r12
33923392
adc \$0,%r13
33933393
adc \$0,%r14
3394-
adc \$0,%r15 # can't overflow, because we
3395-
# started with "overhung" part
3396-
# of multiplication
3397-
mov $carry,%rax # xor %rax,%rax
3394+
adc \$0,%r15
3395+
adc \$0,%rax
33983396
33993397
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
34003398
.Lsqrx8x_no_tail: # %cf is 0 if jumped here
@@ -3409,7 +3407,7 @@
34093407
adc 8*5($tptr),%r13
34103408
adc 8*6($tptr),%r14
34113409
adc 8*7($tptr),%r15
3412-
adc %rax,%rax # top-most carry
3410+
adc \$0,%rax # top-most carry
34133411
34143412
mov 32+8(%rsp),%rbx # n0
34153413
mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"

0 commit comments

Comments
 (0)