https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c
https://github.com/openssl/openssl/issues/18625

From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 22 Jun 2022 18:07:05 +0800
Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for
 rsaz_mod_exp_avx512_x2

bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size
is moduli bit size.

Fixes #18625.

Signed-off-by: Xi Ruoyao <xry111@xry111.site>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18626)

(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345)
--- a/crypto/bn/rsaz_exp_x2.c
+++ b/crypto/bn/rsaz_exp_x2.c
@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
     from_words52(res1, factor_size, rr1_red);
     from_words52(res2, factor_size, rr2_red);
 
+    /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
+    factor_size /= sizeof(BN_ULONG) * 8;
+
     bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
     bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);