From owner-cvs-all@FreeBSD.ORG  Mon May 14 16:55:09 2007
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2E66B16A410
	for <cvs-all@FreeBSD.org>; Mon, 14 May 2007 16:55:09 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 0A79913C487
	for <cvs-all@FreeBSD.org>; Mon, 14 May 2007 16:55:08 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd3mr6so.prod.shaw.ca (pd3mr6so-qfe3.prod.shaw.ca [10.0.141.21])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004))
	with ESMTP id <0JI100I1IIZ5D7D0@l-daemon> for cvs-all@FreeBSD.org; Mon,
	14 May 2007 10:54:41 -0600 (MDT)
Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146])
	by pd3mr6so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05
	(built Sep
	5 2006)) with ESMTP id <0JI100BCJIZ17O71@pd3mr6so.prod.shaw.ca> for
	cvs-all@FreeBSD.org; Mon, 14 May 2007 10:54:37 -0600 (MDT)
Received: from hexahedron.daemonology.net ([24.82.18.31])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004))
	with SMTP id <0JI100GCUIWEGV20@l-daemon> for cvs-all@FreeBSD.org; Mon,
	14 May 2007 10:53:03 -0600 (MDT)
Received: (qmail 35418 invoked from network); Mon, 14 May 2007 16:52:52 +0000
Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1)
	by localhost with SMTP; Mon, 14 May 2007 16:52:52 +0000
Date: Mon, 14 May 2007 09:52:52 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <4648921F.1090407@FreeBSD.org>
To: Maxim Sobolev <sobomax@FreeBSD.org>
Message-id: <464893E4.4020902@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=KOI8-U
Content-transfer-encoding: 7bit
X-Enigmail-Version: 0.95.0
References: <200705140500.l4E50cSp082379@repoman.freebsd.org>
	<4648921F.1090407@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.0 (X11/20070511)
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libmd/i386 rmd160.S sha.S
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2007 16:55:09 -0000

Maxim Sobolev wrote:
> Colin Percival wrote:
>>   (1) The platform is i386.
> [...]
>>   still be broken if conditions (1)-(3) apply AND the buffer extends
>>   beyond 4GB (i.e., there is an integer overflow in computing "data +
>> len").
> 
> How that could be? Isn't userland address space on i386 limited by 4GB?

Exactly -- that's why I said that the remaining bug replaces SIGSEGV (since
a "correct" implementation would try to read kernel memory on its way towards
an address overflow) with a bogus hash.  This is strictly a "call us with bogus
parameters, get a bogus result" issue.

Colin Percival