Re: [Buildroot] [PATCH] package/botan: add patch for CVE-2024-50382 & CVE-2024-50383

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/botan: add patch for CVE-2024-50382 & CVE-2024-50383
Date: Fri,  6 Mar 2026 20:53:08 +0100	[thread overview]
Message-ID: <20260306195308.7643-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260227084404.35563-1-thomas.perale@mind.be>

In reply of:
> Fixes the following vulnerabilities:
> 
> - CVE-2024-50382:
>     Botan before 3.6.0, when certain LLVM versions are used, has compiler-
>     induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in
>     GHASH in AES-GCM. There is a branch instead of an XOR with carry. This
>     was observed for Clang in LLVM 15 on RISC-V.
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2024-50382
>   - https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
> 
> - CVE-2024-50383:
>     Botan before 3.6.0, when certain GCC versions are used, has a
>     compiler-induced secret-dependent operation in lib/utils/donna128.h in
>     donna128 (used in Chacha-Poly1305 and x25519). An addition can be
>     skipped if a carry is not set. This was observed for GCC 11.3.0 with
>     -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be
>     affected.)
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2024-50383
>   - https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  ...avoid-compiler-induced-side-channels.patch | 65 +++++++++++++++++++
>  package/botan/botan.mk                        |  3 +
>  2 files changed, 68 insertions(+)
>  create mode 100644 package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
> 
> diff --git a/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch b/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
> new file mode 100644
> index 0000000000..22f64be1b9
> --- /dev/null
> +++ b/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
> @@ -0,0 +1,65 @@
> +From 53b0cfde580e86b03d0d27a488b6c134f662e957 Mon Sep 17 00:00:00 2001
> +From: Jack Lloyd <jack@randombit.net>
> +Date: Sat, 19 Oct 2024 07:43:18 -0400
> +Subject: [PATCH] Add more value barriers to avoid compiler induced side
> + channels
> +
> +The paper https://arxiv.org/pdf/2410.13489 claims that on specific
> +architectures Clang and GCC may introduce jumps here. The donna128
> +issues only affect 32-bit processors, which explains why we would not
> +see it in the x86-64 valgrind runs.
> +
> +The GHASH leak would seem to be generic but the authors only observed
> +it on RISC-V.
> +
> +CVE: CVE-2024-50382
> +CVE: CVE-2024-50383
> +Upstream: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + src/lib/utils/donna128.h      | 5 +++--
> + src/lib/utils/ghash/ghash.cpp | 2 +-
> + 2 files changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h
> +index 8212bd349e0..7adf54546df 100644
> +--- a/src/lib/utils/donna128.h
> ++++ b/src/lib/utils/donna128.h
> +@@ -8,6 +8,7 @@
> + #ifndef BOTAN_CURVE25519_DONNA128_H_
> + #define BOTAN_CURVE25519_DONNA128_H_
> + 
> ++#include <botan/internal/ct_utils.h>
> + #include <botan/internal/mul128.h>
> + #include <type_traits>
> + 
> +@@ -73,14 +74,14 @@ class donna128 final {
> +          l += x.l;
> +          h += x.h;
> + 
> +-         const uint64_t carry = (l < x.l);
> ++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);
> +          h += carry;
> +          return *this;
> +       }
> + 
> +       constexpr donna128& operator+=(uint64_t x) {
> +          l += x;
> +-         const uint64_t carry = (l < x);
> ++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);
> +          h += carry;
> +          return *this;
> +       }
> +diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp
> +index 8c3b1ed6c2a..61b28590002 100644
> +--- a/src/lib/utils/ghash/ghash.cpp
> ++++ b/src/lib/utils/ghash/ghash.cpp
> +@@ -131,7 +131,7 @@ void GHASH::key_schedule(std::span<const uint8_t> key) {
> +          m_HM[4 * j + 2 * i + 1] = H1;
> + 
> +          // GCM's bit ops are reversed so we carry out of the bottom
> +-         const uint64_t carry = R * (H1 & 1);
> ++         const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);
> +          H1 = (H1 >> 1) | (H0 << 63);
> +          H0 = (H0 >> 1) ^ carry;
> +       }
> diff --git a/package/botan/botan.mk b/package/botan/botan.mk
> index 561e7bf702..38948f0184 100644
> --- a/package/botan/botan.mk
> +++ b/package/botan/botan.mk
> @@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause
>  BOTAN_LICENSE_FILES = license.txt
>  BOTAN_CPE_ID_VALID = YES
>  
> +# 0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
> +BOTAN_IGNORE_CVES += CVE-2024-50382 CVE-2024-50383
> +
>  BOTAN_INSTALL_STAGING = YES
>  
>  BOTAN_DEPENDENCIES = host-python3
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot