Commit 7464ccdd43 for openssl.org

commit 7464ccdd43f600decd0af571556a1fc56ccd6419
Author: Daniel Kubec <kubec@openssl.org>
Date:   Wed Mar 18 11:27:52 2026 +0100

    Out-of-bounds read in AES-CFB-128 on X86-64 with AVX-512 support

    The partial-block pre-processing code in ossl_aes_cfb128_vaes_enc and
    ossl_aes_cfb128_vaes_dec unconditionally loads 16 bytes from the input buffer
    using unmasked vmovdqu8 instructions, even when fewer bytes are valid.
    This can read 1–15 bytes beyond the provided buffer. The post-processing code
    in the same file correctly uses masked loads to avoid this issue.

    Fixes CVE-2026-28386

    Co-Authored-by: Stanislav Fort <stanislav.fort@aisle.com>
    Co-Authored-by: Pavel Kohout <pavel.kohout@aisle.com>
    Co-Authored-by: Alex Gaynor <gaynor@anthropic.com>

    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Apr  6 19:16:26 2026

diff --git a/crypto/aes/asm/aes-cfb-avx512.pl b/crypto/aes/asm/aes-cfb-avx512.pl
index 8136f16e55..01047a0d66 100644
--- a/crypto/aes/asm/aes-cfb-avx512.pl
+++ b/crypto/aes/asm/aes-cfb-avx512.pl
@@ -499,8 +499,8 @@ $code.=<<___;
     and \$0x0F,%al                   # wrap-around $num in a 16-byte block

     leaq ($num,$ivp),%r11            # process $left iv bytes
-    vmovdqu8 (%r11),%xmm0
-    vmovdqu8 ($inp),%xmm1            # process $left input bytes
+    vmovdqu8 (%r11),%xmm0{%k1}{z}
+    vmovdqu8 ($inp),%xmm1{%k1}{z}    # process $left input bytes
     vpxor %xmm0,%xmm1,%xmm2          # CipherFeedBack XOR
     vmovdqu8 %xmm2,($out){%k1}       # write $left output bytes
     vmovdqu8 %xmm2,(%r11){%k1}       # blend $left output bytes into iv
@@ -753,8 +753,8 @@ $code.=<<___;
     and \$0x0F,%al                    # wrap-around in a 16-byte block

     leaq ($num,$ivp),%r11             # process $left iv bytes
-    vmovdqu8 (%r11),%xmm0
-    vmovdqu8 ($inp),%xmm1             # process $left input bytes
+    vmovdqu8 (%r11),%xmm0{%k1}{z}
+    vmovdqu8 ($inp),%xmm1{%k1}{z}     # process $left input bytes
     vpxor %xmm0,%xmm1,%xmm2           # CipherFeedBack XOR
     vmovdqu8 %xmm2,($out){%k1}        # write $left output bytes
     vmovdqu8 %xmm1,(%r11){%k1}        # blend $left input bytes into iv