7325eaecfb
- Include upstream patches targeted for the next stable release (bug fixes only) spapr-Fix-failure-path-for-attempting-to.patch target-i386-do-not-set-unsupported-VMX-s.patch target-xtensa-fix-pasto-in-pfwait.r-opco.patch tcg-i386-Fix-INDEX_op_dup2_vec.patch tcg-mips-mips-sync-encode-error.patch vhost-user-gpu-Release-memory-returned-b.patch vpc-Don-t-round-up-already-aligned-BAT-s.patch xen-block-Fix-double-qlist-remove-and-re.patch - Fix bug causing weak encryption in PAuth for ARM (CVE-2020-10702 bsc#1168681) target-arm-Fix-PAuth-sbox-functions.patch - Fix OOB in tulip NIC emulation (CVE-2020-11102 bsc#1168713 net-tulip-check-frame-size-and-r-w-data-.patch - Note that previously included patch addresses CVE-2020-1711 and bsc#1166240 iscsi-Cap-block-count-from-GET-LBA-STATU.patch - Include performance improvement (and related?) patch aio-wait-delegate-polling-of-main-AioCon.patch async-use-explicit-memory-barriers.patch - Rework previous patch at Olaf H.'s direction hw-i386-disable-smbus-migration-for-xenf.patch - Eliminate is_opensuse usage in producing seabios version string what we are doing here is just replacing the upstream string with one indicating that the openSUSE build service built it, and so just leave it as "-rebuilt.opensuse.org" - Alter algorithm used to produce "unique" symbol for coordinating qemu with the optional modules it may load. This is a reasonable relaxation for broader compatibility configure-remove-pkgversion-from-CONFIG_.patch - Tweak supported.*.txt for latest deprecations, and other fixes - Tweak update_git.sh, config.sh - One more fix is needed for: s390x Protected Virtualization support - start and control guest in secure mode (bsc#1167075 jsc#SLE-7407) s390x-s390-virtio-ccw-Fix-build-on-syste.patch OBS-URL: https://build.opensuse.org/request/show/795118 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=542
49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
From: Vincent Dehors <vincent.dehors@smile.fr>
|
|
Date: Thu, 23 Jan 2020 15:22:38 +0000
|
|
Subject: target/arm: Fix PAuth sbox functions
|
|
|
|
Git-commit: de0b1bae6461f67243282555475f88b2384a1eb9
|
|
References: bsc#1168681, CVE-2020-10702
|
|
|
|
In the PAC computation, sbox was applied over wrong bits.
|
|
As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
|
|
|
|
Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
|
|
used to verify one computation of the pauth_computepac() function which
|
|
uses sbox2.
|
|
|
|
Launchpad: https://bugs.launchpad.net/bugs/1859713
|
|
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
|
|
Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
|
|
Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
target/arm/pauth_helper.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
|
|
index d3194f20437b717ec1cc13a1003e..0a5f41e10c5f03d85a727b2b7c42 100644
|
|
--- a/target/arm/pauth_helper.c
|
|
+++ b/target/arm/pauth_helper.c
|
|
@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
|
|
uint64_t o = 0;
|
|
int b;
|
|
|
|
- for (b = 0; b < 64; b += 16) {
|
|
+ for (b = 0; b < 64; b += 4) {
|
|
o |= (uint64_t)sub[(i >> b) & 0xf] << b;
|
|
}
|
|
return o;
|
|
@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
|
|
uint64_t o = 0;
|
|
int b;
|
|
|
|
- for (b = 0; b < 64; b += 16) {
|
|
+ for (b = 0; b < 64; b += 4) {
|
|
o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
|
|
}
|
|
return o;
|