Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault)
Bug #1880332 reported by
Héctor Molinero Fernández
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| QEMU |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I've come across a very specific situation, but I'm sure it could be replicated in other cases.
In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64 and connect to a server using TLS 1.2 and ECDHE-ECDSA-
I attach a Dockerfile that reproduces this crash and the strace output with and without the de0b1bae6461f67
Revision history for this message
| Héctor Molinero Fernández (hectormf) wrote | #1 |
| tags: | added: linux-user |
Revision history for this message
| Richard Henderson (rth) wrote | #2 |
| Changed in qemu: | |
| status: | New → Invalid |
To post a comment you must log in.
This is a compiler bug affecting (at least) libcrypto.so.1.1:
179d90: d503233f paciasp
179d94: a9bb7bfd stp x29, x30, [sp, #-80]!
...
17a400: d50323bf autiasp
17a404: f84507fd ldr x29, [sp], #80
17a408: d65f03c0 ret
The PAC happens with the initial sp:
X30=000000550
while the AUTH happens with the decremented sp:
X30=001100550
Since the salt (sp) is different for the two operations, the
authorization should and does fail:
X30=002000550
Note bit 53 is now set in x30, which is the error indication.
The compiler must move the authiasp down below the ldr pop.