Permalink
Browse files

bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.

CVE-2017-3732

Reviewed-by: Rich Salz <rsalz@openssl.org>
  • Loading branch information...
dot-asm authored and mattcaswell committed Jan 21, 2017
1 parent 20b69f6 commit a59b90bf491410f1f2bc4540cc21f1980fd14c5b
Showing with 7 additions and 9 deletions.
  1. +7 −9 crypto/bn/asm/x86_64-mont5.pl
@@ -1934,17 +1934,16 @@
.align 32
.L8x_tail_done:
xor %rax,%rax
add (%rdx),%r8 # can this overflow?
adc \$0,%r9
adc \$0,%r10
adc \$0,%r11
adc \$0,%r12
adc \$0,%r13
adc \$0,%r14
adc \$0,%r15 # can't overflow, because we
# started with "overhung" part
# of multiplication
xor %rax,%rax
adc \$0,%r15
adc \$0,%rax
neg $carry
.L8x_no_tail:
@@ -3384,17 +3383,16 @@
.align 32
.Lsqrx8x_tail_done:
xor %rax,%rax
add 24+8(%rsp),%r8 # can this overflow?
adc \$0,%r9
adc \$0,%r10
adc \$0,%r11
adc \$0,%r12
adc \$0,%r13
adc \$0,%r14
adc \$0,%r15 # can't overflow, because we
# started with "overhung" part
# of multiplication
mov $carry,%rax # xor %rax,%rax
adc \$0,%r15
adc \$0,%rax
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
.Lsqrx8x_no_tail: # %cf is 0 if jumped here
@@ -3409,7 +3407,7 @@
adc 8*5($tptr),%r13
adc 8*6($tptr),%r14
adc 8*7($tptr),%r15
adc %rax,%rax # top-most carry
adc \$0,%rax # top-most carry
mov 32+8(%rsp),%rbx # n0
mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"

0 comments on commit a59b90b

Please sign in to comment.