diff --git a/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch b/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch new file mode 100644 index 0000000000000000000000000000000000000000..05d71ab798b5f73b311b9617e92c230a39d047fc --- /dev/null +++ b/CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch @@ -0,0 +1,73 @@ +From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 +From: Alex Chernyakhovsky +Date: Thu, 16 Jun 2022 12:00:22 +1000 +Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path +that performs operations on 6 16-byte blocks concurrently (the +"grandloop") and then proceeds to handle the "short" tail (which can +be anywhere from 0 to 5 blocks) that remain. + +As part of initialization, the assembly initializes $len to the true +length, less 96 bytes and converts it to a pointer so that the $inp +can be compared to it. Each iteration of "grandloop" checks to see if +there's a full 96-byte chunk to process, and if so, continues. Once +this has been exhausted, it falls through to "short", which handles +the remaining zero to five blocks. + +Unfortunately, the jump at the end of "grandloop" had a fencepost +error, doing a `jb` ("jump below") rather than `jbe` (jump below or +equal). This should be `jbe`, as $inp is pointing to the *end* of the +chunk currently being handled. If $inp == $len, that means that +there's a whole 96-byte chunk waiting to be handled. If $inp > $len, +then there's 5 or fewer 16-byte blocks left to be handled, and the +fall-through is intended. + +The net effect of `jb` instead of `jbe` is that the last 16-byte block +of the last 96-byte chunk was completely omitted. The contents of +`out` in this position were never written to. Additionally, since +those bytes were never processed, the authentication tag generated is +also incorrect. + +The same fencepost error, and identical logic, exists in both +aesni_ocb_encrypt and aesni_ocb_decrypt. + +This addresses CVE-2022-2097. + +Co-authored-by: Alejandro SedeƱo +Co-authored-by: David Benjamin + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + crypto/aes/asm/aesni-x86.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl +index fe2b265..812758e 100644 +--- a/crypto/aes/asm/aesni-x86.pl ++++ b/crypto/aes/asm/aesni-x86.pl +@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &movdqu (&QWP(-16*2,$out,$inp),$inout4); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &pxor ($rndkey1,$inout5); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +-- +1.8.3.1 + diff --git a/openssl.spec b/openssl.spec index 062fc4e8c5771034304b1db206daadf15d29d230..92b1227ecfe0d8af52e321599ce2331cb2d5db22 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 17 +Release: 18 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ @@ -93,6 +93,7 @@ Patch82: CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch Patch83: CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch Patch84: CVE-2022-1292.patch Patch85: CVE-2022-2068-Fix-file-operations-in-c_rehash.patch +Patch86: CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -270,8 +271,11 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Thu Jul 14 2022 fangxiuning - 1:1.1.1f-18 +- fix CVE-2022-2097 + * Fri Jul 01 2022 wangcheng - 1:1.1.1f-17 -- fic CVE-2022-2068 +- fix CVE-2022-2068 * Mon May 16 2022 wangcheng - 1:1.1.1f-16 - fix CVE-2022-1292