2020-10-27 00:08:26

by Ard Biesheuvel

[permalink] [raw]
Subject: Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update

On Tue, 27 Oct 2020 at 00:03, Eric Biggers <[email protected]> wrote:
>
> On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> > PAC pointer authentication signs the return address against the value
> > of the stack pointer, to prevent stack overrun exploits from corrupting
> > the control flow. However, this requires that the AUTIASP is issued with
> > SP holding the same value as it held when the PAC value was generated.
> > The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> > capable hardware.
> >
> > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> > Signed-off-by: Ard Biesheuvel <[email protected]>
> > ---
> > arch/arm64/crypto/poly1305-armv8.pl | 2 +-
> > arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
>
> This needs to be fixed at https://github.com/dot-asm/cryptogams too, I assume?
>

Yes, and in OpenSSL.


2020-10-27 00:08:57

by Ard Biesheuvel

[permalink] [raw]
Subject: Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update

(+ Andy)

On Tue, 27 Oct 2020 at 00:04, Ard Biesheuvel <[email protected]> wrote:
>
> On Tue, 27 Oct 2020 at 00:03, Eric Biggers <[email protected]> wrote:
> >
> > On Tue, Oct 27, 2020 at 12:00:27AM +0100, Ard Biesheuvel wrote:
> > > PAC pointer authentication signs the return address against the value
> > > of the stack pointer, to prevent stack overrun exploits from corrupting
> > > the control flow. However, this requires that the AUTIASP is issued with
> > > SP holding the same value as it held when the PAC value was generated.
> > > The Poly1305 NEON code got this wrong, resulting in crashes on PAC
> > > capable hardware.
> > >
> > > Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
> > > Signed-off-by: Ard Biesheuvel <[email protected]>
> > > ---
> > > arch/arm64/crypto/poly1305-armv8.pl | 2 +-
> > > arch/arm64/crypto/poly1305-core.S_shipped | 2 +-
> > > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > This needs to be fixed at https://github.com/dot-asm/cryptogams too, I assume?
> >
>
> Yes, and in OpenSSL.

2020-10-29 13:30:21

by Andy Polyakov

[permalink] [raw]
Subject: Re: [PATCH] crypto: arm64/poly1305-neon - reorder PAC authentication with SP update

> (+ Andy)

Thanks! Applied to cryptogams, pinged openssl. Cheers.