[Pkg-openssl-devel] Bug#989604: libssl1.1: segfault on arm64 (M1) with some ciphers e.g. curl https://dl.yarnpkg.com

Anders Kaseorg andersk at mit.edu
Wed Jan 26 03:10:00 GMT 2022 

Control: fixed 989604 1.1.1i-1
Control: tags 989604 + buster patch

This crash was introduced by OpenSSL_1_1_1b~37:
https://github.com/openssl/openssl/commit/2cf7fd698ec1375421f91338ff8a44e7da5238b6
and fixed by OpenSSL_1_1_1i~21:
https://github.com/openssl/openssl/commit/5795acffd8706e1cb584284ee5bb3a30986d0e75

The fix is trivial, swapping two lines of assembly.  I’ve attached it as a 
debdiff, and tested it in a Debian 10 container on an M1 MacBook.  Can it 
be considered for oldstable?

Anders
-------------- next part --------------
diff -Nru openssl-1.1.1d/debian/changelog openssl-1.1.1d/debian/changelog
--- openssl-1.1.1d/debian/changelog	2021-08-24 01:30:43.000000000 -0700
+++ openssl-1.1.1d/debian/changelog	2022-01-25 18:53:14.000000000 -0800
@@ -1,3 +1,10 @@
+openssl (1.1.1d-0+deb10u8) buster-security; urgency=medium
+
+  * debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch:
+    Fix segfault in Poly1305 on aarch64 (Closes: #989604).
+
+ -- Anders Kaseorg <andersk at mit.edu>  Tue, 25 Jan 2022 18:53:14 -0800
+
 openssl (1.1.1d-0+deb10u7) buster-security; urgency=medium
 
   * CVE-2021-3711 (SM2 Decryption Buffer Overflow).
diff -Nru openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
--- openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch	1969-12-31 16:00:00.000000000 -0800
+++ openssl-1.1.1d/debian/patches/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch	2022-01-25 18:51:11.000000000 -0800
@@ -0,0 +1,34 @@
+From: Ard Biesheuvel <ard.biesheuvel at arm.com>
+Date: Tue, 27 Oct 2020 18:02:40 +0100
+Subject: crypto/poly1305/asm: fix armv8 pointer authentication
+
+PAC pointer authentication signs the return address against the value
+of the stack pointer, to prevent stack overrun exploits from corrupting
+the control flow. However, this requires that the AUTIASP is issued with
+SP holding the same value as it held when the PAC value was generated.
+The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
+capable hardware.
+
+Reviewed-by: Paul Dale <paul.dale at oracle.com>
+Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
+(Merged from https://github.com/openssl/openssl/pull/13256)
+
+(cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57)
+---
+ crypto/poly1305/asm/poly1305-armv8.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl
+index d07494bd18..2a42b64a92 100755
+--- a/crypto/poly1305/asm/poly1305-armv8.pl
++++ b/crypto/poly1305/asm/poly1305-armv8.pl
+@@ -864,8 +864,8 @@ poly1305_blocks_neon:
+ 	st1	{$ACC4}[0],[$ctx]
+ 
+ .Lno_data_neon:
+-	.inst	0xd50323bf		// autiasp
+ 	ldr	x29,[sp],#80
++	.inst	0xd50323bf		// autiasp
+ 	ret
+ .size	poly1305_blocks_neon,.-poly1305_blocks_neon
+ 
diff -Nru openssl-1.1.1d/debian/patches/series openssl-1.1.1d/debian/patches/series
--- openssl-1.1.1d/debian/patches/series	2021-08-24 01:30:27.000000000 -0700
+++ openssl-1.1.1d/debian/patches/series	2022-01-25 18:51:15.000000000 -0800
@@ -38,3 +38,4 @@
 fixup-Allow-fuzz-builds-to-detect-string-overruns.patch
 fixup-Fix-the-name-constraints-code-to-not-assume-NUL-ter.patch
 fixup-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-s.patch
+crypto-poly1305-asm-fix-armv8-pointer-authentication.patch

More information about the Pkg-openssl-devel mailing list