Control: fixed 989604 1.1.1i-1
Control: tags 989604 + buster patch
This crash was introduced by OpenSSL_1_1_1b~37:
https://github.com/openssl/openssl/commit/2cf7fd698ec1375421f91338ff8a44e7da5238b6
and fixed by OpenSSL_1_1_1i~21:
https://github.com/openssl/openssl/commit/5795acffd8706e1cb584284ee5bb3a30986d0e75
The fix is trivial, swapping two lines of assembly. I’ve attached it as a
debdiff, and tested it in a Debian 10 container on an M1 MacBook. Can it
be considered for oldstable?
Anders
diff -Nru openssl-1.1.1d/debian/changelog openssl-1.1.1d/debian/changelog
--- openssl-1.1.1d/debian/changelog 2021-08-24 01:30:43.000000000 -0700
+++ openssl-1.1.1d/debian/changelog 2022-01-25 18:53:14.000000000 -0800
@@ -1,3 +1,10 @@
+openssl (1.1.1d-0+deb10u8) buster-security; urgency=medium
+
+ * debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch:
+ Fix segfault in Poly1305 on aarch64 (Closes: #989604).
+
+ -- Anders Kaseorg <ande...@mit.edu> Tue, 25 Jan 2022 18:53:14 -0800
+
openssl (1.1.1d-0+deb10u7) buster-security; urgency=medium
* CVE-2021-3711 (SM2 Decryption Buffer Overflow).
diff -Nru
openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
---
openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
1969-12-31 16:00:00.000000000 -0800
+++
openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
2022-01-25 18:51:11.000000000 -0800
@@ -0,0 +1,34 @@
+From: Ard Biesheuvel <ard.biesheu...@arm.com>
+Date: Tue, 27 Oct 2020 18:02:40 +0100
+Subject: crypto/poly1305/asm: fix armv8 pointer authentication
+
+PAC pointer authentication signs the return address against the value
+of the stack pointer, to prevent stack overrun exploits from corrupting
+the control flow. However, this requires that the AUTIASP is issued with
+SP holding the same value as it held when the PAC value was generated.
+The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
+capable hardware.
+
+Reviewed-by: Paul Dale <paul.d...@oracle.com>
+Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
+(Merged from https://github.com/openssl/openssl/pull/13256)
+
+(cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57)
+---
+ crypto/poly1305/asm/poly1305-armv8.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/poly1305/asm/poly1305-armv8.pl
b/crypto/poly1305/asm/poly1305-armv8.pl
+index d07494bd18..2a42b64a92 100755
+--- a/crypto/poly1305/asm/poly1305-armv8.pl
++++ b/crypto/poly1305/asm/poly1305-armv8.pl
+@@ -864,8 +864,8 @@ poly1305_blocks_neon:
+ st1 {$ACC4}[0],[$ctx]
+
+ .Lno_data_neon:
+- .inst 0xd50323bf // autiasp
+ ldr x29,[sp],#80
++ .inst 0xd50323bf // autiasp
+ ret
+ .size poly1305_blocks_neon,.-poly1305_blocks_neon
+
diff -Nru openssl-1.1.1d/debian/patches/series
openssl-1.1.1d/debian/patches/series
--- openssl-1.1.1d/debian/patches/series 2021-08-24 01:30:27.000000000
-0700
+++ openssl-1.1.1d/debian/patches/series 2022-01-25 18:51:15.000000000
-0800
@@ -38,3 +38,4 @@
fixup-Allow-fuzz-builds-to-detect-string-overruns.patch
fixup-Fix-the-name-constraints-code-to-not-assume-NUL-ter.patch
fixup-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-s.patch
+crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
