crypto: arm64/poly1305-neon - reorder PAC authentication with SP update

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 NEON code got this wrong, resulting in crashes on PAC
capable hardware.

Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Ard Biesheuvel and committed by

Herbert Xu 5 years ago 519a0d7e 92eb6c30

+2 -2

2 changed files

expand all

arch

arm64

crypto

poly1305-armv8.pl

poly1305-core.S_shipped

+1 -1

arch/arm64/crypto/poly1305-armv8.pl

··· 840 840 ldp d14,d15,[sp,#64] 841 841 addp $ACC2,$ACC2,$ACC2 842 842 ldr x30,[sp,#8] 843 - .inst 0xd50323bf // autiasp 844 843 845 844 //////////////////////////////////////////////////////////////// 846 845 // lazy reduction, but without narrowing ··· 881 882 str x4,[$ctx,#8] // set is_base2_26 882 883 883 884 ldr x29,[sp],#80 885 + .inst 0xd50323bf // autiasp 884 886 ret 885 887 .size poly1305_blocks_neon,.-poly1305_blocks_neon 886 888

+1 -1

arch/arm64/crypto/poly1305-core.S_shipped

··· 779 779 ldp d14,d15,[sp,#64] 780 780 addp v21.2d,v21.2d,v21.2d 781 781 ldr x30,[sp,#8] 782 - .inst 0xd50323bf // autiasp 783 782 784 783 //////////////////////////////////////////////////////////////// 785 784 // lazy reduction, but without narrowing ··· 820 821 str x4,[x0,#8] // set is_base2_26 821 822 822 823 ldr x29,[sp],#80 824 + .inst 0xd50323bf // autiasp 823 825 ret 824 826 .size poly1305_blocks_neon,.-poly1305_blocks_neon 825 827