FreeBSD: VID-8337251B-B07B-11EE-B0D7-84A93843EB75 (CVE-2023-6129): OpenSSL -- Vector register corruption on PowerPC

Issue summary: The POLY1305 MAC (message authentication code) implementation

contains a bug that might corrupt the internal state of applications running

on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC

algorithm is used, the application state might be corrupted with various

application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for

PowerPC CPUs restores the contents of vector registers in a different order

than they are saved. Thus the contents of some of these vector registers

are corrupted when returning to the caller. The vulnerable code is used only

on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can

be various - from no consequences, if the calling application does not

depend on the contents of non-volatile XMM registers at all, to the worst

consequences, where the attacker could get complete control of the application

process. However unless the compiler uses the vector registers for storing

pointers, the most likely consequence, if any, would be an incorrect result

of some application dependent calculations or a crash leading to a denial of

service.

The POLY1305 MAC algorithm is most frequently used as part of the

CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)

algorithm. The most common usage of this AEAD cipher is with TLS protocol

versions 1.2 and 1.3. If this cipher is enabled on the server a malicious

client can influence whether this AEAD cipher is used. This implies that

TLS server applications using OpenSSL can be potentially impacted. However

we are currently not aware of any concrete application that would be affected

by this issue therefore we consider this a Low severity security issue.