crypto/poly1305/asm: fix armv8 pointer authentication

PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
capable hardware.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13256)

diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl
index d2d875ad6c7eaef265caee0346b9eecc72b8cacb..113a2151b6fa142514231d4ca98a773c3766e2f3 100755 (executable)
--- a/crypto/poly1305/asm/poly1305-armv8.pl
+++ b/crypto/poly1305/asm/poly1305-armv8.pl
@@ -866,8 +866,8 @@ poly1305_blocks_neon:
        st1     {$ACC4}[0],[$ctx]
 
 .Lno_data_neon:
-       .inst   0xd50323bf              // autiasp
        ldr     x29,[sp],#80
+       .inst   0xd50323bf              // autiasp
        ret
 .size  poly1305_blocks_neon,.-poly1305_blocks_neon