diff options
author | Andy Polyakov <appro@openssl.org> | 2017-01-21 21:30:49 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-26 11:54:01 +0100 |
commit | 3f4bcf5bb664b47ed369a70b99fac4e0ad141bb3 (patch) | |
tree | e658c243793155d8639a05b1f2fe5bd654355a75 /crypto/bn | |
parent | test/bntest.c: regression test for carry bug in bn_sqr8x_internal. (diff) | |
download | openssl-3f4bcf5bb664b47ed369a70b99fac4e0ad141bb3.tar.xz openssl-3f4bcf5bb664b47ed369a70b99fac4e0ad141bb3.zip |
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
CVE-2017-3732
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/bn')
-rwxr-xr-x | crypto/bn/asm/x86_64-mont5.pl | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl index 8f49391727..d041d738cf 100755 --- a/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/bn/asm/x86_64-mont5.pl @@ -1934,6 +1934,7 @@ __bn_sqr8x_reduction: .align 32 .L8x_tail_done: + xor %rax,%rax add (%rdx),%r8 # can this overflow? adc \$0,%r9 adc \$0,%r10 @@ -1941,10 +1942,8 @@ __bn_sqr8x_reduction: adc \$0,%r12 adc \$0,%r13 adc \$0,%r14 - adc \$0,%r15 # can't overflow, because we - # started with "overhung" part - # of multiplication - xor %rax,%rax + adc \$0,%r15 + adc \$0,%rax neg $carry .L8x_no_tail: @@ -3384,6 +3383,7 @@ __bn_sqrx8x_reduction: .align 32 .Lsqrx8x_tail_done: + xor %rax,%rax add 24+8(%rsp),%r8 # can this overflow? adc \$0,%r9 adc \$0,%r10 @@ -3391,10 +3391,8 @@ __bn_sqrx8x_reduction: adc \$0,%r12 adc \$0,%r13 adc \$0,%r14 - adc \$0,%r15 # can't overflow, because we - # started with "overhung" part - # of multiplication - mov $carry,%rax # xor %rax,%rax + adc \$0,%r15 + adc \$0,%rax sub 16+8(%rsp),$carry # mov 16(%rsp),%cf .Lsqrx8x_no_tail: # %cf is 0 if jumped here @@ -3409,7 +3407,7 @@ __bn_sqrx8x_reduction: adc 8*5($tptr),%r13 adc 8*6($tptr),%r14 adc 8*7($tptr),%r15 - adc %rax,%rax # top-most carry + adc \$0,%rax # top-most carry mov 32+8(%rsp),%rbx # n0 mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8" |