From owner-cvs-src@FreeBSD.ORG  Mon May 14 17:07:06 2007
Return-Path: <owner-cvs-src@FreeBSD.ORG>
X-Original-To: cvs-src@FreeBSD.org
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3D80A16A409
	for <cvs-src@FreeBSD.org>; Mon, 14 May 2007 17:07:06 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A5F413C45A
	for <cvs-src@FreeBSD.org>; Mon, 14 May 2007 17:07:06 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mr6so.prod.shaw.ca (pd2mr6so-qfe3.prod.shaw.ca [10.0.141.9])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004))
	with ESMTP id <0JI10044LJIH4I20@l-daemon> for cvs-src@FreeBSD.org; Mon,
	14 May 2007 11:06:17 -0600 (MDT)
Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148])
	by pd2mr6so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05
	(built Sep
	5 2006)) with ESMTP id <0JI1000A9JIC3PO0@pd2mr6so.prod.shaw.ca> for
	cvs-src@FreeBSD.org; Mon, 14 May 2007 11:06:14 -0600 (MDT)
Received: from hexahedron.daemonology.net ([24.82.18.31])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004))
	with SMTP id <0JI1005UBIWFSKR3@l-daemon> for cvs-src@FreeBSD.org; Mon,
	14 May 2007 10:53:04 -0600 (MDT)
Received: (qmail 35418 invoked from network); Mon, 14 May 2007 16:52:52 +0000
Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1)
	by localhost with SMTP; Mon, 14 May 2007 16:52:52 +0000
Date: Mon, 14 May 2007 09:52:52 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <4648921F.1090407@FreeBSD.org>
To: Maxim Sobolev <sobomax@FreeBSD.org>
Message-id: <464893E4.4020902@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=KOI8-U
Content-transfer-encoding: 7bit
X-Enigmail-Version: 0.95.0
References: <200705140500.l4E50cSp082379@repoman.freebsd.org>
	<4648921F.1090407@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.0 (X11/20070511)
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libmd/i386 rmd160.S sha.S
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2007 17:07:06 -0000

Maxim Sobolev wrote:
> Colin Percival wrote:
>>   (1) The platform is i386.
> [...]
>>   still be broken if conditions (1)-(3) apply AND the buffer extends
>>   beyond 4GB (i.e., there is an integer overflow in computing "data +
>> len").
> 
> How that could be? Isn't userland address space on i386 limited by 4GB?

Exactly -- that's why I said that the remaining bug replaces SIGSEGV (since
a "correct" implementation would try to read kernel memory on its way towards
an address overflow) with a bogus hash.  This is strictly a "call us with bogus
parameters, get a bogus result" issue.

Colin Percival