[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1880332] Re: Possible regression in QEMU 5.0.0 after CVE-2020-10702
From: |
Richard Henderson |
Subject: |
[Bug 1880332] Re: Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault) |
Date: |
Mon, 01 Jun 2020 18:18:04 -0000 |
This is a compiler bug affecting (at least) libcrypto.so.1.1:
179d90: d503233f paciasp
179d94: a9bb7bfd stp x29, x30, [sp, #-80]!
...
17a400: d50323bf autiasp
17a404: f84507fd ldr x29, [sp], #80
17a408: d65f03c0 ret
The PAC happens with the initial sp:
X30=0000005501de55fc SP=00000055018477a0
while the AUTH happens with the decremented sp:
X30=0011005501de55fc SP=0000005501847750
Since the salt (sp) is different for the two operations, the
authorization should and does fail:
X30=0020005501de55fc
Note bit 53 is now set in x30, which is the error indication.
The compiler must move the authiasp down below the ldr pop.
** Changed in: qemu
Status: New => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880332
Title:
Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation
fault)
Status in QEMU:
Invalid
Bug description:
I've come across a very specific situation, but I'm sure it could be
replicated in other cases.
In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64
and connect to a server using TLS 1.2 and ECDHE-ECDSA-
CHACHA20-POLY1305 cypher a segmentation fault occurs.
I attach a Dockerfile that reproduces this crash and the strace output
with and without the de0b1bae6461f67243282555475f88b2384a1eb9 commit
reverted.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880332/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1880332] Re: Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault),
Richard Henderson <=