From 48b5156258b8fd8ea7b97d5221152e4011894969 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Wed, 24 Jan 2024 13:39:44 +0000
Subject: [PATCH] Avoid a four byte overread in gcm_ghash_4bit() on amd64.

The assembly code for gcm_ghash_4bit() reads one too many times from Xi,
resulting in a four byte overread. Prevent this by not loading the next
value in the final iteration of the loop. If another full iteration is
required the next Xi value will be loaded at the top of the outer_loop.

Many thanks to Douglas Gliner <Douglas.Gliner at sony dot com> for finding
and reporting this issue, along with a detailed reproducer.

Same diff from deraadt@

ok tb@
---
 lib/libcrypto/modes/asm/ghash-x86_64.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libcrypto/modes/asm/ghash-x86_64.pl b/lib/libcrypto/modes/asm/ghash-x86_64.pl
index 9ce0c381410..4fded507c89 100644
--- a/lib/libcrypto/modes/asm/ghash-x86_64.pl
+++ b/lib/libcrypto/modes/asm/ghash-x86_64.pl
@@ -285,7 +285,7 @@ $code.=".align	16\n.Louter_loop:\n";
 	    &shr	($Zlo,8);
 
 	    &movz	($rem[0],&LB($rem[0]));
-	    &mov	($dat,"$j($Xi)")			if (--$j%4==0);
+	    &mov	($dat,"$j($Xi)")			if (--$j%4==0 && $j>=0);
 	    &shr	($Zhi,8);
 
 	    &xor	($Zlo,"-128($Hshr4,$nhi[0],8)");
-- 
2.20.1