[PATCH][V2][Jethro, fido 1/3] openssl: fix for CVE-2015-3193

[PATCH][V2][Jethro, fido 1/3] openssl: fix for CVE-2015-3193

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101 +++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
new file mode 100644
index 0000000..125016a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
@@ -0,0 +1,101 @@
+From d73cc256c8e256c32ed959456101b73ba9842f72 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Tue, 1 Dec 2015 09:00:32 +0100
+Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry propagating bug
+ (CVE-2015-3193).
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/bn/asm/x86_64-mont5.pl | 22 +++++++++++++++++++---
+ crypto/bn/bntest.c            | 18 ++++++++++++++++++
+ 2 files changed, 37 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/asm/x86_64-mont5.pl
++++ openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+@@ -1779,6 +1779,15 @@ sqr8x_reduction:
+ .align	32
+ .L8x_tail_done:
+ 	add	(%rdx),%r8		# can this overflow?
++	adc	\$0,%r9
++	adc	\$0,%r10
++	adc	\$0,%r11
++	adc	\$0,%r12
++	adc	\$0,%r13
++	adc	\$0,%r14
++	adc	\$0,%r15		# can't overflow, because we
++					# started with "overhung" part
++					# of multiplication
+ 	xor	%rax,%rax
+ 
+ 	neg	$carry
+@@ -3125,6 +3134,15 @@ sqrx8x_reduction:
+ .align	32
+ .Lsqrx8x_tail_done:
+ 	add	24+8(%rsp),%r8		# can this overflow?
++	adc	\$0,%r9
++	adc	\$0,%r10
++	adc	\$0,%r11
++	adc	\$0,%r12
++	adc	\$0,%r13
++	adc	\$0,%r14
++	adc	\$0,%r15		# can't overflow, because we
++					# started with "overhung" part
++					# of multiplication
+ 	mov	$carry,%rax		# xor	%rax,%rax
+ 
+ 	sub	16+8(%rsp),$carry	# mov 16(%rsp),%cf
+@@ -3168,13 +3186,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
+ my @ri=map("%r$_",(10..13));
+ my @ni=map("%r$_",(14..15));
+ $code.=<<___;
+-	xor	%rbx,%rbx
++	xor	%ebx,%ebx
+ 	sub	%r15,%rsi		# compare top-most words
+ 	adc	%rbx,%rbx
+ 	mov	%rcx,%r10		# -$num
+-	.byte	0x67
+ 	or	%rbx,%rax
+-	.byte	0x67
+ 	mov	%rcx,%r9		# -$num
+ 	xor	\$1,%rax
+ 	sar	\$3+2,%rcx		# cf=0
+Index: openssl-1.0.2d/crypto/bn/bntest.c
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/bntest.c
++++ openssl-1.0.2d/crypto/bn/bntest.c
+@@ -1027,6 +1027,24 @@ int test_mod_exp_mont_consttime(BIO *bp,
+             return 0;
+         }
+     }
++
++    /* Regression test for carry propagation bug in sqr8x_reduction */
++    BN_hex2bn(&a, "050505050505");
++    BN_hex2bn(&b, "02");
++    BN_hex2bn(&c,
++        "4141414141414141414141274141414141414141414141414141414141414141"
++        "4141414141414141414141414141414141414141414141414141414141414141"
++        "4141414141414141414141800000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000001");
++    BN_mod_exp(d, a, b, c, ctx);
++    BN_mul(e, a, a, ctx);
++    if (BN_cmp(d, e)) {
++        fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
++        return 0;
++    }
++
+     BN_free(a);
+     BN_free(b);
+     BN_free(c);
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index fd56841..79e86d8 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
             file://crypto_use_bigint_in_x86-64_perl.patch \
             file://openssl-1.0.2a-x32-asm.patch \
             file://ptest_makefile_deps.patch  \
+            file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
            "
 
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
-- 
2.3.5

[PATCH][V2][Jethro, fido 2/3] openssl: fix for CVE-2015-3194

[Armin Kuster]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 6044 bytes --]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../openssl/0001-Add-test-for-CVE-2015-3194.patch  | 66 ++++++++++++++++++++++
 .../CVE-2015-3194-1-Add-PSS-parameter-check.patch  | 45 +++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2d.bb |  2 +
 3 files changed, 113 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
new file mode 100644
index 0000000..39a2e5a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
@@ -0,0 +1,66 @@
+From 00456fded43eadd4bb94bf675ae4ea5d158a764f Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Wed, 4 Nov 2015 13:30:03 +0000
+Subject: [PATCH] Add test for CVE-2015-3194
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=00456fded43eadd4bb94bf675ae4ea5d158a764f
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ test/certs/pss1.pem | 21 +++++++++++++++++++++
+ test/tx509          |  7 +++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 test/certs/pss1.pem
+
+diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem
+new file mode 100644
+index 0000000..29da71d
+--- /dev/null
++++ b/test/certs/pss1.pem
+@@ -0,0 +1,21 @@
++-----BEGIN CERTIFICATE-----
++MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI
++AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD
++VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz
++NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj
++ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH
++qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL
++IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT
++IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k
++dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq
++QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa
++5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2
++4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB
++Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii
++BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb
++xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn
++plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY
++DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p
++NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ
++lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=
++-----END CERTIFICATE-----
+diff --git a/test/tx509 b/test/tx509
+index 0ce3b52..77f5cac 100644
+--- a/test/tx509
++++ b/test/tx509
+@@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi
+ cmp x509-f.p x509-ff.p3
+ if [ $? != 0 ]; then exit 1; fi
+ 
++echo "Parsing test certificates"
++
++$cmd -in certs/pss1.pem -text -noout >/dev/null
++if [ $? != 0 ]; then exit 1; fi
++
++echo OK
++
+ /bin/rm -f x509-f.* x509-ff.* x509-fff.*
+ exit 0
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
new file mode 100644
index 0000000..13d4891
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
@@ -0,0 +1,45 @@
+From c394a488942387246653833359a5c94b5832674e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 2 Oct 2015 12:35:19 +0100
+Subject: [PATCH] Add PSS parameter check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid seg fault by checking mgf1 parameter is not NULL. This can be
+triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
+
+CVE-2015-3194
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=c394a488942387246653833359a5c94b5832674e
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index ca3922e..4e06218 100644
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
+ {
+     const unsigned char *p;
+     int plen;
+-    if (alg == NULL)
++    if (alg == NULL || alg->parameter == NULL)
+         return NULL;
+     if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
+         return NULL;
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 79e86d8..0364b64 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -38,6 +38,8 @@ SRC_URI += "file://configure-targets.patch \
             file://openssl-1.0.2a-x32-asm.patch \
             file://ptest_makefile_deps.patch  \
             file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
+            file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
+            file://0001-Add-test-for-CVE-2015-3194.patch \
            "
 
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
-- 
2.3.5

[PATCH][V2][Jethro, fido 3/3] openssl: fix for CVE-2015-3195

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 66 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.2d.bb |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000..6fc4d0e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,66 @@
+From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +0000
+Subject: [PATCH] Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from
+https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/asn1/tasn_dec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
++++ b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     int otag;
+     int ret = 0;
+     ASN1_VALUE **pchptr, *ptmpval;
++    int combine = aclass & ASN1_TFLG_COMBINE;
++    aclass &= ~ASN1_TFLG_COMBINE;
+     if (!pval)
+         return 0;
+     if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+  auxerr:
+     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-    ASN1_item_ex_free(pval, it);
++    if (combine == 0)
++        ASN1_item_ex_free(pval, it);
+     if (errtt)
+         ERR_add_error_data(4, "Field=", errtt->field_name,
+                            ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+     } else {
+         /* Nothing special */
+         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, 0, opt, ctx);
++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 0364b64..3864e88 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://configure-targets.patch \
             file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
             file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
             file://0001-Add-test-for-CVE-2015-3194.patch \
+            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
            "
 
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
-- 
2.3.5

Re: [PATCH][V2][Jethro, fido 1/3] openssl: fix for CVE-2015-3193

[Robert Yang]

Hi Armin,

I got strange errors when use git am:

  git am /tmp/jethro/*openssl*
Applying: openssl: fix for CVE-2015-3193
/buildarea/lyang1/poky/.git/rebase-apply/patch:24: trailing whitespace.
This patch was imported from
/buildarea/lyang1/poky/.git/rebase-apply/patch:41: space before tab in indent.
         add     (%rdx),%r8              # can this overflow?
/buildarea/lyang1/poky/.git/rebase-apply/patch:51: space before tab in indent.
         xor     %rax,%rax
/buildarea/lyang1/poky/.git/rebase-apply/patch:52: trailing whitespace.

/buildarea/lyang1/poky/.git/rebase-apply/patch:53: space before tab in indent.
         neg     $carry
warning: squelched 11 whitespace errors
warning: 16 lines add whitespace errors.
fatal: cannot convert from y to UTF-8

Would please put the patches to a repo ? so that I can fetch them ?

// Robert

On 01/08/2016 07:04 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>   ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101 +++++++++++++++++++++
>   .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   1 +
>   2 files changed, 102 insertions(+)
>   create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
> new file mode 100644
> index 0000000..125016a
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
> @@ -0,0 +1,101 @@
> +From d73cc256c8e256c32ed959456101b73ba9842f72 Mon Sep 17 00:00:00 2001
> +From: Andy Polyakov <appro@openssl.org>
> +Date: Tue, 1 Dec 2015 09:00:32 +0100
> +Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry propagating bug
> + (CVE-2015-3193).
> +
> +Reviewed-by: Richard Levitte <levitte@openssl.org>
> +(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
> +
> +Upstream-Status: Backport
> +
> +This patch was imported from
> +https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + crypto/bn/asm/x86_64-mont5.pl | 22 +++++++++++++++++++---
> + crypto/bn/bntest.c            | 18 ++++++++++++++++++
> + 2 files changed, 37 insertions(+), 3 deletions(-)
> +
> +Index: openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
> +===================================================================
> +--- openssl-1.0.2d.orig/crypto/bn/asm/x86_64-mont5.pl
> ++++ openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
> +@@ -1779,6 +1779,15 @@ sqr8x_reduction:
> + .align	32
> + .L8x_tail_done:
> + 	add	(%rdx),%r8		# can this overflow?
> ++	adc	\$0,%r9
> ++	adc	\$0,%r10
> ++	adc	\$0,%r11
> ++	adc	\$0,%r12
> ++	adc	\$0,%r13
> ++	adc	\$0,%r14
> ++	adc	\$0,%r15		# can't overflow, because we
> ++					# started with "overhung" part
> ++					# of multiplication
> + 	xor	%rax,%rax
> +
> + 	neg	$carry
> +@@ -3125,6 +3134,15 @@ sqrx8x_reduction:
> + .align	32
> + .Lsqrx8x_tail_done:
> + 	add	24+8(%rsp),%r8		# can this overflow?
> ++	adc	\$0,%r9
> ++	adc	\$0,%r10
> ++	adc	\$0,%r11
> ++	adc	\$0,%r12
> ++	adc	\$0,%r13
> ++	adc	\$0,%r14
> ++	adc	\$0,%r15		# can't overflow, because we
> ++					# started with "overhung" part
> ++					# of multiplication
> + 	mov	$carry,%rax		# xor	%rax,%rax
> +
> + 	sub	16+8(%rsp),$carry	# mov 16(%rsp),%cf
> +@@ -3168,13 +3186,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
> + my @ri=map("%r$_",(10..13));
> + my @ni=map("%r$_",(14..15));
> + $code.=<<___;
> +-	xor	%rbx,%rbx
> ++	xor	%ebx,%ebx
> + 	sub	%r15,%rsi		# compare top-most words
> + 	adc	%rbx,%rbx
> + 	mov	%rcx,%r10		# -$num
> +-	.byte	0x67
> + 	or	%rbx,%rax
> +-	.byte	0x67
> + 	mov	%rcx,%r9		# -$num
> + 	xor	\$1,%rax
> + 	sar	\$3+2,%rcx		# cf=0
> +Index: openssl-1.0.2d/crypto/bn/bntest.c
> +===================================================================
> +--- openssl-1.0.2d.orig/crypto/bn/bntest.c
> ++++ openssl-1.0.2d/crypto/bn/bntest.c
> +@@ -1027,6 +1027,24 @@ int test_mod_exp_mont_consttime(BIO *bp,
> +             return 0;
> +         }
> +     }
> ++
> ++    /* Regression test for carry propagation bug in sqr8x_reduction */
> ++    BN_hex2bn(&a, "050505050505");
> ++    BN_hex2bn(&b, "02");
> ++    BN_hex2bn(&c,
> ++        "4141414141414141414141274141414141414141414141414141414141414141"
> ++        "4141414141414141414141414141414141414141414141414141414141414141"
> ++        "4141414141414141414141800000000000000000000000000000000000000000"
> ++        "0000000000000000000000000000000000000000000000000000000000000000"
> ++        "0000000000000000000000000000000000000000000000000000000000000000"
> ++        "0000000000000000000000000000000000000000000000000000000001");
> ++    BN_mod_exp(d, a, b, c, ctx);
> ++    BN_mul(e, a, a, ctx);
> ++    if (BN_cmp(d, e)) {
> ++        fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
> ++        return 0;
> ++    }
> ++
> +     BN_free(a);
> +     BN_free(b);
> +     BN_free(c);
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> index fd56841..79e86d8 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
>               file://crypto_use_bigint_in_x86-64_perl.patch \
>               file://openssl-1.0.2a-x32-asm.patch \
>               file://ptest_makefile_deps.patch  \
> +            file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
>              "
>
>   SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
>

Re: [PATCH][V2][Jethro, fido 1/3] openssl: fix for CVE-2015-3193

[akuster808]

On 01/11/2016 07:35 PM, Robert Yang wrote:
> 
> Hi Armin,
> 
> I got strange errors when use git am:
> 
>  git am /tmp/jethro/*openssl*
> Applying: openssl: fix for CVE-2015-3193
> /buildarea/lyang1/poky/.git/rebase-apply/patch:24: trailing whitespace.
> This patch was imported from
> /buildarea/lyang1/poky/.git/rebase-apply/patch:41: space before tab in
> indent.
>         add     (%rdx),%r8              # can this overflow?
> /buildarea/lyang1/poky/.git/rebase-apply/patch:51: space before tab in
> indent.
>         xor     %rax,%rax
> /buildarea/lyang1/poky/.git/rebase-apply/patch:52: trailing whitespace.
> 
> /buildarea/lyang1/poky/.git/rebase-apply/patch:53: space before tab in
> indent.
>         neg     $carry
> warning: squelched 11 whitespace errors
> warning: 16 lines add whitespace errors.
> fatal: cannot convert from y to UTF-8
> 
> Would please put the patches to a repo ? so that I can fetch them ?
Sure thing.

- armin

> // Robert
> 
> On 01/08/2016 07:04 AM, Armin Kuster wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>>   ...64-mont5.pl-fix-carry-propagating-bug-CVE.patch | 101
>> +++++++++++++++++++++
>>   .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   1 +
>>   2 files changed, 102 insertions(+)
>>   create mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>>
>>
>> diff --git
>> a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>> b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>>
>> new file mode 100644
>> index 0000000..125016a
>> --- /dev/null
>> +++
>> b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>>
>> @@ -0,0 +1,101 @@
>> +From d73cc256c8e256c32ed959456101b73ba9842f72 Mon Sep 17 00:00:00 2001
>> +From: Andy Polyakov <appro@openssl.org>
>> +Date: Tue, 1 Dec 2015 09:00:32 +0100
>> +Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry propagating bug
>> + (CVE-2015-3193).
>> +
>> +Reviewed-by: Richard Levitte <levitte@openssl.org>
>> +(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
>> +
>> +Upstream-Status: Backport
>> +
>> +This patch was imported from
>> +https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
>>
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + crypto/bn/asm/x86_64-mont5.pl | 22 +++++++++++++++++++---
>> + crypto/bn/bntest.c            | 18 ++++++++++++++++++
>> + 2 files changed, 37 insertions(+), 3 deletions(-)
>> +
>> +Index: openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
>> +===================================================================
>> +--- openssl-1.0.2d.orig/crypto/bn/asm/x86_64-mont5.pl
>> ++++ openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
>> +@@ -1779,6 +1779,15 @@ sqr8x_reduction:
>> + .align    32
>> + .L8x_tail_done:
>> +     add    (%rdx),%r8        # can this overflow?
>> ++    adc    \$0,%r9
>> ++    adc    \$0,%r10
>> ++    adc    \$0,%r11
>> ++    adc    \$0,%r12
>> ++    adc    \$0,%r13
>> ++    adc    \$0,%r14
>> ++    adc    \$0,%r15        # can't overflow, because we
>> ++                    # started with "overhung" part
>> ++                    # of multiplication
>> +     xor    %rax,%rax
>> +
>> +     neg    $carry
>> +@@ -3125,6 +3134,15 @@ sqrx8x_reduction:
>> + .align    32
>> + .Lsqrx8x_tail_done:
>> +     add    24+8(%rsp),%r8        # can this overflow?
>> ++    adc    \$0,%r9
>> ++    adc    \$0,%r10
>> ++    adc    \$0,%r11
>> ++    adc    \$0,%r12
>> ++    adc    \$0,%r13
>> ++    adc    \$0,%r14
>> ++    adc    \$0,%r15        # can't overflow, because we
>> ++                    # started with "overhung" part
>> ++                    # of multiplication
>> +     mov    $carry,%rax        # xor    %rax,%rax
>> +
>> +     sub    16+8(%rsp),$carry    # mov 16(%rsp),%cf
>> +@@ -3168,13 +3186,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
>> + my @ri=map("%r$_",(10..13));
>> + my @ni=map("%r$_",(14..15));
>> + $code.=<<___;
>> +-    xor    %rbx,%rbx
>> ++    xor    %ebx,%ebx
>> +     sub    %r15,%rsi        # compare top-most words
>> +     adc    %rbx,%rbx
>> +     mov    %rcx,%r10        # -$num
>> +-    .byte    0x67
>> +     or    %rbx,%rax
>> +-    .byte    0x67
>> +     mov    %rcx,%r9        # -$num
>> +     xor    \$1,%rax
>> +     sar    \$3+2,%rcx        # cf=0
>> +Index: openssl-1.0.2d/crypto/bn/bntest.c
>> +===================================================================
>> +--- openssl-1.0.2d.orig/crypto/bn/bntest.c
>> ++++ openssl-1.0.2d/crypto/bn/bntest.c
>> +@@ -1027,6 +1027,24 @@ int test_mod_exp_mont_consttime(BIO *bp,
>> +             return 0;
>> +         }
>> +     }
>> ++
>> ++    /* Regression test for carry propagation bug in sqr8x_reduction */
>> ++    BN_hex2bn(&a, "050505050505");
>> ++    BN_hex2bn(&b, "02");
>> ++    BN_hex2bn(&c,
>> ++       
>> "4141414141414141414141274141414141414141414141414141414141414141"
>> ++       
>> "4141414141414141414141414141414141414141414141414141414141414141"
>> ++       
>> "4141414141414141414141800000000000000000000000000000000000000000"
>> ++       
>> "0000000000000000000000000000000000000000000000000000000000000000"
>> ++       
>> "0000000000000000000000000000000000000000000000000000000000000000"
>> ++        "0000000000000000000000000000000000000000000000000000000001");
>> ++    BN_mod_exp(d, a, b, c, ctx);
>> ++    BN_mul(e, a, a, ctx);
>> ++    if (BN_cmp(d, e)) {
>> ++        fprintf(stderr, "BN_mod_exp and BN_mul produce different
>> results!\n");
>> ++        return 0;
>> ++    }
>> ++
>> +     BN_free(a);
>> +     BN_free(b);
>> +     BN_free(c);
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> index fd56841..79e86d8 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
>>               file://crypto_use_bigint_in_x86-64_perl.patch \
>>               file://openssl-1.0.2a-x32-asm.patch \
>>               file://ptest_makefile_deps.patch  \
>> +           
>> file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
>> \
>>              "
>>
>>   SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
>>