bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.

Credit to OSS-Fuzz for finding this. CVE-2017-3736 Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Andy Polyakov <appro@openssl.org> 2017-08-17 21:08:57 +0200
committer: Matt Caswell <matt@openssl.org> 2017-11-02 11:06:40 +0000
commit: 38d600147331d36e74174ebbd4008b63188b321b (patch)
tree: 55b3fb201814dd62dfc20e656b1b568227e4c3c6
parent: 23f7e974d59a576ad7d8cfd9f7ac957a883e361f (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 3bb0cdf5bd..42178e455a 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -3090,11 +3090,19 @@ $code.=<<___;
 
 .align	32
 .Lsqrx8x_break:
-	sub	16+8(%rsp),%r8		# consume last carry
+	xor	$zero,$zero
+	sub	16+8(%rsp),%rbx		# mov 16(%rsp),%cf
+	adcx	$zero,%r8
 	mov	24+8(%rsp),$carry	# initial $tptr, borrow $carry
+	adcx	$zero,%r9
 	mov	0*8($aptr),%rdx		# a[8], modulo-scheduled
-	xor	%ebp,%ebp		# xor	$zero,$zero
+	adc	\$0,%r10
 	mov	%r8,0*8($tptr)
+	adc	\$0,%r11
+	adc	\$0,%r12
+	adc	\$0,%r13
+	adc	\$0,%r14
+	adc	\$0,%r15
 	cmp	$carry,$tptr		# cf=0, of=0
 	je	.Lsqrx8x_outer_loop
author	Andy Polyakov <appro@openssl.org>	2017-08-17 21:08:57 +0200
committer	Matt Caswell <matt@openssl.org>	2017-11-02 11:06:40 +0000
commit	38d600147331d36e74174ebbd4008b63188b321b (patch)
tree	55b3fb201814dd62dfc20e656b1b568227e4c3c6
parent	23f7e974d59a576ad7d8cfd9f7ac957a883e361f (diff)