openssl: backport fix for CVE-2023-6129

(From OE-Core rev: 7fa10f29b31f8aae572026a00a6354aec539d044) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@arm.com> 2024-01-29 18:07:02 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-02-02 11:06:17 +0000
commit: e5604d346c6b2014a689128f8bbb7bde5a1e5c0f (patch)
tree: 75b850f6ecbab4cb57e072cc60c8e2d717c07317 /meta/recipes-connectivity/openssl
parent: 4584746c1acaea848d1ee0329cefa2a51b5049a7 (diff)
download: poky-e5604d346c6b2014a689128f8bbb7bde5a1e5c0f.tar.gz
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
new file mode 100644
index 0000000000..c2cbedd1b7
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
@@ -0,0 +1,113 @@
+From 5b139f95c9a47a55a0c54100f3837b1eee942b04 Mon Sep 17 00:00:00 2001
+From: Rohan McLure <rmclure@linux.ibm.com>
+Date: Thu, 4 Jan 2024 10:25:50 +0100
+Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
+Fixes CVE-2023-6129
+The POLY1305 MAC (message authentication code) implementation in OpenSSL for
+PowerPC CPUs saves the the contents of vector registers in different order
+than they are restored. Thus the contents of some of these vector registers
+is corrupted when returning to the caller. The vulnerable code is used only
+on newer PowerPC processors supporting the PowerISA 2.07 instructions.
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23200)
+(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
+CVE: CVE-2023-6129
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
+index 9f86134d923fb..2e601bb9c24be 100755
+--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
+@@ -744,7 +744,7 @@
+ my $LOCALS= 6*$SIZE_T;
+ my $VSXFRAME = $LOCALS + 6*$SIZE_T;
+    $VSXFRAME += 128;   # local variables
+-   $VSXFRAME += 13*16; # v20-v31 offload
+   $VSXFRAME += 12*16; # v20-v31 offload
+ 
+ my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
+ 
+@@ -919,12 +919,12 @@
+        addi    r11,r11,32
+        stvx    v22,r10,$sp
+        addi    r10,r10,32
+-       stvx    v23,r10,$sp
+-       addi    r10,r10,32
+-       stvx    v24,r11,$sp
+       stvx    v23,r11,$sp
+        addi    r11,r11,32
+-       stvx    v25,r10,$sp
+       stvx    v24,r10,$sp
+        addi    r10,r10,32
+       stvx    v25,r11,$sp
+       addi    r11,r11,32
+        stvx    v26,r10,$sp
+        addi    r10,r10,32
+        stvx    v27,r11,$sp
+@@ -1153,12 +1153,12 @@
+        addi    r11,r11,32
+        stvx    v22,r10,$sp
+        addi    r10,r10,32
+-       stvx    v23,r10,$sp
+-       addi    r10,r10,32
+-       stvx    v24,r11,$sp
+       stvx    v23,r11,$sp
+        addi    r11,r11,32
+-       stvx    v25,r10,$sp
+       stvx    v24,r10,$sp
+        addi    r10,r10,32
+       stvx    v25,r11,$sp
+       addi    r11,r11,32
+        stvx    v26,r10,$sp
+        addi    r10,r10,32
+        stvx    v27,r11,$sp
+@@ -1899,26 +1899,26 @@
+        mtspr   256,r12                         # restore vrsave
+        lvx     v20,r10,$sp
+        addi    r10,r10,32
+-       lvx     v21,r10,$sp
+-       addi    r10,r10,32
+-       lvx     v22,r11,$sp
+       lvx     v21,r11,$sp
+        addi    r11,r11,32
+-       lvx     v23,r10,$sp
+       lvx     v22,r10,$sp
+        addi    r10,r10,32
+-       lvx     v24,r11,$sp
+       lvx     v23,r11,$sp
+        addi    r11,r11,32
+-       lvx     v25,r10,$sp
+       lvx     v24,r10,$sp
+        addi    r10,r10,32
+-       lvx     v26,r11,$sp
+       lvx     v25,r11,$sp
+        addi    r11,r11,32
+-       lvx     v27,r10,$sp
+       lvx     v26,r10,$sp
+        addi    r10,r10,32
+-       lvx     v28,r11,$sp
+       lvx     v27,r11,$sp
+        addi    r11,r11,32
+-       lvx     v29,r10,$sp
+       lvx     v28,r10,$sp
+        addi    r10,r10,32
+-       lvx     v30,r11,$sp
+-       lvx     v31,r10,$sp
+       lvx     v29,r11,$sp
+       addi    r11,r11,32
+       lvx     v30,r10,$sp
+       lvx     v31,r11,$sp
+        $POP    r27,`$VSXFRAME-$SIZE_T*5`($sp)
+        $POP    r28,`$VSXFRAME-$SIZE_T*4`($sp)
+        $POP    r29,`$VSXFRAME-$SIZE_T*3`($sp)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb b/meta/recipes-connectivity/openssl/openssl_3.2.0.bb
index cf08cdbaa0..b2cdf761fc 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
           file://aarch64-bti.patch \
           file://0001-riscv-Fix-mispelling-of-extension-test-macro.patch \
+           file://CVE-2023-6129.patch \
           "
 SRC_URI:append:class-nativesdk = " \
author	Ross Burton <ross.burton@arm.com>	2024-01-29 18:07:02 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-02-02 11:06:17 +0000
commit	e5604d346c6b2014a689128f8bbb7bde5a1e5c0f (patch)
tree	75b850f6ecbab4cb57e072cc60c8e2d717c07317 /meta/recipes-connectivity/openssl
parent	4584746c1acaea848d1ee0329cefa2a51b5049a7 (diff)
download	poky-e5604d346c6b2014a689128f8bbb7bde5a1e5c0f.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch new file mode 100644 index 0000000000..c2cbedd1b7 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
@@ -0,0 +1,113 @@
		1	From 5b139f95c9a47a55a0c54100f3837b1eee942b04 Mon Sep 17 00:00:00 2001
		2	From: Rohan McLure <rmclure@linux.ibm.com>
		3	Date: Thu, 4 Jan 2024 10:25:50 +0100
		4	Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
		5
		6	Fixes CVE-2023-6129
		7
		8	The POLY1305 MAC (message authentication code) implementation in OpenSSL for
		9	PowerPC CPUs saves the the contents of vector registers in different order
		10	than they are restored. Thus the contents of some of these vector registers
		11	is corrupted when returning to the caller. The vulnerable code is used only
		12	on newer PowerPC processors supporting the PowerISA 2.07 instructions.
		13
		14	Reviewed-by: Matt Caswell <matt@openssl.org>
		15	Reviewed-by: Richard Levitte <levitte@openssl.org>
		16	Reviewed-by: Tomas Mraz <tomas@openssl.org>
		17	(Merged from https://github.com/openssl/openssl/pull/23200)
		18
		19	(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
		20
		21	CVE: CVE-2023-6129
		22	Upstream-Status: Backport
		23	Signed-off-by: Ross Burton <ross.burton@arm.com>
		24	---
		25	crypto/poly1305/asm/poly1305-ppc.pl \| 42 ++++++++++++++---------------
		26	1 file changed, 21 insertions(+), 21 deletions(-)
		27
		28	diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
		29	index 9f86134d923fb..2e601bb9c24be 100755
		30	--- a/crypto/poly1305/asm/poly1305-ppc.pl
		31	+++ b/crypto/poly1305/asm/poly1305-ppc.pl
		32	@@ -744,7 +744,7 @@
		33	my $LOCALS= 6*$SIZE_T;
		34	my $VSXFRAME = $LOCALS + 6*$SIZE_T;
		35	$VSXFRAME += 128; # local variables
		36	- $VSXFRAME += 13*16; # v20-v31 offload
		37	+ $VSXFRAME += 12*16; # v20-v31 offload
		38
		39	my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
		40
		41	@@ -919,12 +919,12 @@
		42	addi r11,r11,32
		43	stvx v22,r10,$sp
		44	addi r10,r10,32
		45	- stvx v23,r10,$sp
		46	- addi r10,r10,32
		47	- stvx v24,r11,$sp
		48	+ stvx v23,r11,$sp
		49	addi r11,r11,32
		50	- stvx v25,r10,$sp
		51	+ stvx v24,r10,$sp
		52	addi r10,r10,32
		53	+ stvx v25,r11,$sp
		54	+ addi r11,r11,32
		55	stvx v26,r10,$sp
		56	addi r10,r10,32
		57	stvx v27,r11,$sp
		58	@@ -1153,12 +1153,12 @@
		59	addi r11,r11,32
		60	stvx v22,r10,$sp
		61	addi r10,r10,32
		62	- stvx v23,r10,$sp
		63	- addi r10,r10,32
		64	- stvx v24,r11,$sp
		65	+ stvx v23,r11,$sp
		66	addi r11,r11,32
		67	- stvx v25,r10,$sp
		68	+ stvx v24,r10,$sp
		69	addi r10,r10,32
		70	+ stvx v25,r11,$sp
		71	+ addi r11,r11,32
		72	stvx v26,r10,$sp
		73	addi r10,r10,32
		74	stvx v27,r11,$sp
		75	@@ -1899,26 +1899,26 @@
		76	mtspr 256,r12 # restore vrsave
		77	lvx v20,r10,$sp
		78	addi r10,r10,32
		79	- lvx v21,r10,$sp
		80	- addi r10,r10,32
		81	- lvx v22,r11,$sp
		82	+ lvx v21,r11,$sp
		83	addi r11,r11,32
		84	- lvx v23,r10,$sp
		85	+ lvx v22,r10,$sp
		86	addi r10,r10,32
		87	- lvx v24,r11,$sp
		88	+ lvx v23,r11,$sp
		89	addi r11,r11,32
		90	- lvx v25,r10,$sp
		91	+ lvx v24,r10,$sp
		92	addi r10,r10,32
		93	- lvx v26,r11,$sp
		94	+ lvx v25,r11,$sp
		95	addi r11,r11,32
		96	- lvx v27,r10,$sp
		97	+ lvx v26,r10,$sp
		98	addi r10,r10,32
		99	- lvx v28,r11,$sp
		100	+ lvx v27,r11,$sp
		101	addi r11,r11,32
		102	- lvx v29,r10,$sp
		103	+ lvx v28,r10,$sp
		104	addi r10,r10,32
		105	- lvx v30,r11,$sp
		106	- lvx v31,r10,$sp
		107	+ lvx v29,r11,$sp
		108	+ addi r11,r11,32
		109	+ lvx v30,r10,$sp
		110	+ lvx v31,r11,$sp
		111	$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
		112	$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
		113	$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)


diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb b/meta/recipes-connectivity/openssl/openssl_3.2.0.bb index cf08cdbaa0..b2cdf761fc 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \	14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \
15	file://aarch64-bti.patch \	15	file://aarch64-bti.patch \
16	file://0001-riscv-Fix-mispelling-of-extension-test-macro.patch \	16	file://0001-riscv-Fix-mispelling-of-extension-test-macro.patch \
		17	file://CVE-2023-6129.patch \
17	"	18	"
18		19
19	SRC_URI:append:class-nativesdk = " \	20	SRC_URI:append:class-nativesdk = " \