From 0227da548c3b17ef69ec7deeb5ed8e72f3218fda Mon Sep 17 00:00:00 2001
From: Tommi Hirvola <tommi@hirvola.fi>
Date: Tue, 19 Feb 2019 17:45:54 +0200
Subject: [PATCH] UPSTREAM: crypto: x86/poly1305 - Clear key material from
 stack in SSE2 variant

1-block SSE2 variant of poly1305 stores variables s1..s4 containing key
material on the stack. This commit adds missing zeroing of the stack
memory. Benchmarks show negligible performance hit (tested on i7-3770).

Signed-off-by: Tommi Hirvola <tommi@hirvola.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 7748168c66404a3ee732972a3a55b5332245eb25)
Bug: 152722841
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iada3921d6f93921385c4f1229973511c163d5aab
---
 arch/x86/crypto/poly1305-sse2-x86_64.S | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S
index 5851c7418fb7..6f0be7a86964 100644
--- a/arch/x86/crypto/poly1305-sse2-x86_64.S
+++ b/arch/x86/crypto/poly1305-sse2-x86_64.S
@@ -272,6 +272,10 @@ ENTRY(poly1305_block_sse2)
 	dec		%rcx
 	jnz		.Ldoblock
 
+	# Zeroing of key material
+	mov		%rcx,0x00(%rsp)
+	mov		%rcx,0x08(%rsp)
+
 	add		$0x10,%rsp
 	pop		%r12
 	pop		%rbx