From: Ard Biesheuvel Date: Tue, 27 Oct 2020 17:02:40 +0000 (+0100) Subject: crypto/poly1305/asm: fix armv8 pointer authentication X-Git-Tag: OpenSSL_1_1_1i~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5795acffd8706e1cb584284ee5bb3a30986d0e75;p=thirdparty%2Fopenssl.git crypto/poly1305/asm: fix armv8 pointer authentication PAC pointer authentication signs the return address against the value of the stack pointer, to prevent stack overrun exploits from corrupting the control flow. However, this requires that the AUTIASP is issued with SP holding the same value as it held when the PAC value was generated. The Poly1305 armv8 code got this wrong, resulting in crashes on PAC capable hardware. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13256) (cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57) --- diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl index d07494bd180..2a42b64a929 100755 --- a/crypto/poly1305/asm/poly1305-armv8.pl +++ b/crypto/poly1305/asm/poly1305-armv8.pl @@ -864,8 +864,8 @@ poly1305_blocks_neon: st1 {$ACC4}[0],[$ctx] .Lno_data_neon: - .inst 0xd50323bf // autiasp ldr x29,[sp],#80 + .inst 0xd50323bf // autiasp ret .size poly1305_blocks_neon,.-poly1305_blocks_neon