- Reported
-
- Issued
-
- Package
-
libcrux-secrets
(crates.io)
- Type
-
Vulnerability
- References
-
- CVSS Score
- 8.2
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- Present
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
libcrux_secrets::Select::select
-
libcrux_secrets::Swap::swap
-
Description
The implementation of constant-time swap and select on aarch64
platforms used a cmp instruction in inline assembly to check whether
an 8-bit wide selector was 0. The cmp instruction works on 32-bit
registers, which included the unspecified high 24 bits of the cmp operand.
Depending on the execution environment the cmp
could thus potentially return an incorrect result because its
operand's high bits in the inline assembly were set when Rust expected them to be unset.
This could lead to incorrect results for the constant-time swap and select
operations built from this comparison.
Impact
In certain circumstances the swap and select instructions on aarch64
platforms returned incorrect results.
Mitigation
Starting from version 0.0.6, the selector is compared using a tst
instruction with a mask, which only compares the first 8 bits of the
selector.
Advisory available under CC0-1.0
license.