Date: Wed, 09 Mar 2016 22:02:50 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-amd64@FreeBSD.org Subject: [Bug 207783] OpenSSH client segfaults in 9.3-RELEASE-p37 Message-ID: <bug-207783-6-PElHzSMyH3@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207783-6@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207783 Dimitry Andric <dim@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dim@FreeBSD.org --- Comment #11 from Dimitry Andric <dim@FreeBSD.org> --- Created attachment 167941 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167941&action=edit Fix bug caused by r296462 If you ask me, this is caused by r296462 [1], specifically the part: > constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF. > [CVE-2016-0702, upstream d6482a8. 5ea08bd, d6d422e, > 8fc8f48 317be63 skipped intentionally as we are not > using the code on FreeBSD. Backport done by jkim@. The problem is that all calls of MOD_EXP_CTIME_COPY_TO_PREBUF() are adjusted to use the 'window' parameter, but it appears the one call to MOD_EXP_CTIME_COPY_FROM_PREBUF() was forgotten: it still uses 'numPowers', which is actually 1 << window! Now MOD_EXP_CTIME_COPY_FROM_PREBUF() itself calls this input parameter 'window', and then proceeds to calculate the xstride as 1 << (window - 2), which in some cases can end up being 2^30. The loop which then goes through 'table' (the buffer) will almost certainly hit bad memory. The fix is to call MOD_EXP_CTIME_COPY_FROM_PREBUF() with 'window' instead. [1] https://svnweb.freebsd.org/changeset/base/296462 -- You are receiving this mail because: You are on the CC list for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207783-6-PElHzSMyH3>