From 5d09e1c24125db653332a588d37b7249cddc37b2 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 22 Aug 2023 16:07:30 +0200 Subject: [PATCH 1/2] Avoid clobbering non-volatile XMM registers This affects some Poly1305 assembler functions which are only used for certain CPU types. Remove those functions for Windows targets, as a simple interim solution. Fixes #21522 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21808) (cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165) Signed-off-by: code4lala --- crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 5f834d8faf..801455c639 100644 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -193,7 +193,7 @@ $code.=<<___ if ($avx>1); bt \$`5+32`,%r9 # AVX2? cmovc %rax,%r10 ___ -$code.=<<___ if ($avx>3); +$code.=<<___ if ($avx>3 && !$win64); mov \$`(1<<31|1<<21|1<<16)`,%rax shr \$32,%r9 and %rax,%r9 @@ -2722,7 +2722,7 @@ $code.=<<___; .cfi_endproc .size poly1305_blocks_avx512,.-poly1305_blocks_avx512 ___ -if ($avx>3) { +if ($avx>3 && !$win64) { ######################################################################## # VPMADD52 version using 2^44 radix. # -- Gitee From f8e28e6f221090675ff3333ad369e8675f429988 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Sep 2023 15:35:22 +0200 Subject: [PATCH 2/2] Add CVE-2023-4807 fix to CHANGES and NEWS Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22034) Signed-off-by: code4lala --- CHANGES | 21 +++++++++++++++++++++ NEWS | 2 ++ 2 files changed, 23 insertions(+) diff --git a/CHANGES b/CHANGES index 818f31c241..0406e90973 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,27 @@ For a full list of changes, see the git commit log; for example, https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + [Bernd Edlinger] + *) Fix excessive time spent checking DH q parameter value. The function DH_check() performs various checks on DH parameters. After diff --git a/NEWS b/NEWS index 52ae6366c2..f85833e6eb 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows + (CVE-2023-4807) o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) -- Gitee