POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)

Resolves: RHEL-21151
2024-01-19 14:59:04 +01:00 · 2024-01-19 14:59:04 +01:00 · 3c49cf388a
parent 6c9dd70b94
commit 3c49cf388a
2 changed files with 90 additions and 0 deletions
--- a/0132-CVE-2023-6129.patch
+++ b/0132-CVE-2023-6129.patch
@ -0,0 +1,86 @@
+diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
+index 9f86134d923fb..2e601bb9c24be 100755
+--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
+@@ -744,7 +744,7 @@
+ my $LOCALS= 6*$SIZE_T;
+ my $VSXFRAME = $LOCALS + 6*$SIZE_T;
+    $VSXFRAME += 128;	# local variables
+-   $VSXFRAME += 13*16;	# v20-v31 offload
+   $VSXFRAME += 12*16;	# v20-v31 offload
+ 
+ my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
+ 
+@@ -919,12 +919,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
+	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
+	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
+	stvx	v25,r11,$sp
+	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1153,12 +1153,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
+	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
+	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
+	stvx	v25,r11,$sp
+	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1899,26 +1899,26 @@
+ 	mtspr	256,r12				# restore vrsave
+ 	lvx	v20,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v21,r10,$sp
+-	addi	r10,r10,32
+-	lvx	v22,r11,$sp
+	lvx	v21,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v23,r10,$sp
+	lvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v24,r11,$sp
+	lvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v25,r10,$sp
+	lvx	v24,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v26,r11,$sp
+	lvx	v25,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v27,r10,$sp
+	lvx	v26,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v28,r11,$sp
+	lvx	v27,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v29,r10,$sp
+	lvx	v28,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v30,r11,$sp
+-	lvx	v31,r10,$sp
+	lvx	v29,r11,$sp
+	addi	r11,r11,32
+	lvx	v30,r10,$sp
+	lvx	v31,r11,$sp
+ 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
+ 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
+ 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)
--- a/openssl.spec
+++ b/openssl.spec
@ -206,6 +206,8 @@ Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
 Patch130: 0130-CVE-2023-5678.patch
 # https://github.com/openssl/openssl/pull/20317
 Patch131: 0131-sslgroups-memleak.patch
+# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35
+Patch132: 0132-CVE-2023-6129.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -542,6 +544,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
  Resolves: RHEL-17193
 - Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context
  Resolves: RHEL-19515
+- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129)
+  Resolves: RHEL-21151

 * Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
 - Provide relevant diagnostics when FIPS checksum is corrupted