|
 |
e62613 |
From ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 Mon Sep 17 00:00:00 2001
|
|
|
e62613 |
From: Andy Polyakov <appro@openssl.org>
|
|
|
e62613 |
Date: Fri, 24 Nov 2017 11:35:50 +0100
|
|
|
e62613 |
Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
|
|
|
e62613 |
rsaz_1024_mul_avx2.
|
|
|
e62613 |
|
|
|
e62613 |
Credit to OSS-Fuzz for finding this.
|
|
|
e62613 |
|
|
|
e62613 |
CVE-2017-3738
|
|
|
e62613 |
|
|
|
e62613 |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
e62613 |
---
|
|
|
e62613 |
crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
|
|
|
e62613 |
1 file changed, 7 insertions(+), 8 deletions(-)
|
|
|
e62613 |
|
|
|
e62613 |
diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
|
|
|
e62613 |
index 712a77f..2b3f8b0 100755
|
|
|
e62613 |
--- a/crypto/bn/asm/rsaz-avx2.pl
|
|
|
e62613 |
+++ b/crypto/bn/asm/rsaz-avx2.pl
|
|
|
e62613 |
@@ -239,7 +239,7 @@ $code.=<<___;
|
|
|
e62613 |
vmovdqu 32*8-128($ap), $ACC8
|
|
|
e62613 |
|
|
|
e62613 |
lea 192(%rsp), $tp0 # 64+128=192
|
|
|
e62613 |
- vpbroadcastq .Land_mask(%rip), $AND_MASK
|
|
|
e62613 |
+ vmovdqu .Land_mask(%rip), $AND_MASK
|
|
|
e62613 |
jmp .LOOP_GRANDE_SQR_1024
|
|
|
e62613 |
|
|
|
e62613 |
.align 32
|
|
|
e62613 |
@@ -1070,10 +1070,10 @@ $code.=<<___;
|
|
|
e62613 |
vpmuludq 32*6-128($np),$Yi,$TEMP1
|
|
|
e62613 |
vpaddq $TEMP1,$ACC6,$ACC6
|
|
|
e62613 |
vpmuludq 32*7-128($np),$Yi,$TEMP2
|
|
|
e62613 |
- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
|
|
|
e62613 |
+ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
|
|
|
e62613 |
vpaddq $TEMP2,$ACC7,$ACC7
|
|
|
e62613 |
vpmuludq 32*8-128($np),$Yi,$TEMP0
|
|
|
e62613 |
- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
|
|
|
e62613 |
+ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
|
|
|
e62613 |
vpaddq $TEMP0,$ACC8,$ACC8
|
|
|
e62613 |
|
|
|
e62613 |
mov %rbx, %rax
|
|
|
e62613 |
@@ -1086,7 +1086,9 @@ $code.=<<___;
|
|
|
e62613 |
vmovdqu -8+32*2-128($ap),$TEMP2
|
|
|
e62613 |
|
|
|
e62613 |
mov $r1, %rax
|
|
|
e62613 |
+ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
|
|
|
e62613 |
imull $n0, %eax
|
|
|
e62613 |
+ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
|
|
|
e62613 |
and \$0x1fffffff, %eax
|
|
|
e62613 |
|
|
|
e62613 |
imulq 16-128($ap),%rbx
|
|
|
e62613 |
@@ -1322,15 +1324,12 @@ ___
|
|
|
e62613 |
# But as we underutilize resources, it's possible to correct in
|
|
|
e62613 |
# each iteration with marginal performance loss. But then, as
|
|
|
e62613 |
# we do it in each iteration, we can correct less digits, and
|
|
|
e62613 |
-# avoid performance penalties completely. Also note that we
|
|
|
e62613 |
-# correct only three digits out of four. This works because
|
|
|
e62613 |
-# most significant digit is subjected to less additions.
|
|
|
e62613 |
+# avoid performance penalties completely.
|
|
|
e62613 |
|
|
|
e62613 |
$TEMP0 = $ACC9;
|
|
|
e62613 |
$TEMP3 = $Bi;
|
|
|
e62613 |
$TEMP4 = $Yi;
|
|
|
e62613 |
$code.=<<___;
|
|
|
e62613 |
- vpermq \$0, $AND_MASK, $AND_MASK
|
|
|
e62613 |
vpaddq (%rsp), $TEMP1, $ACC0
|
|
|
e62613 |
|
|
|
e62613 |
vpsrlq \$29, $ACC0, $TEMP1
|
|
|
e62613 |
@@ -1763,7 +1762,7 @@ $code.=<<___;
|
|
|
e62613 |
|
|
|
e62613 |
.align 64
|
|
|
e62613 |
.Land_mask:
|
|
|
e62613 |
- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
|
|
|
e62613 |
+ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
|
|
|
e62613 |
.Lscatter_permd:
|
|
|
e62613 |
.long 0,2,4,6,7,7,7,7
|
|
|
e62613 |
.Lgather_permd:
|
|
|
e62613 |
--
|
|
|
e62613 |
2.9.5
|
|
|
e62613 |
|