From owner-svn-src-all@freebsd.org  Wed Mar  9 21:31:31 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E50BEAC90BA;
 Wed,  9 Mar 2016 21:31:31 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from tensor.andric.com (tensor.andric.com
 [IPv6:2001:7b8:3a7:1:2d0:b7ff:fea0:8c26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "tensor.andric.com",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 728E61E2C;
 Wed,  9 Mar 2016 21:31:31 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from [IPv6:2001:7b8:3a7::dd44:f53f:bd83:81a6] (unknown
 [IPv6:2001:7b8:3a7:0:dd44:f53f:bd83:81a6])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by tensor.andric.com (Postfix) with ESMTPSA id 74B5A3E933;
 Wed,  9 Mar 2016 22:31:28 +0100 (CET)
Subject: Re: svn commit: r296465 - in releng/9.3: . crypto/openssl
 crypto/openssl/apps crypto/openssl/bugs crypto/openssl/crypto
 crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf
 cry...
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed;
 boundary="Apple-Mail=_72D411A8-F978-43D7-9D8A-0850E89E6F98";
 protocol="application/pgp-signature"; micalg=pgp-sha1
X-Pgp-Agent: GPGMail 2.6b2 (ebbf3ef)
From: Dimitry Andric <dim@FreeBSD.org>
In-Reply-To: <2E9527A1-C869-48DA-9554-2A96F1735F8C@FreeBSD.org>
Date: Wed, 9 Mar 2016 22:31:21 +0100
Cc: Antoine Brodin <antoine@FreeBSD.org>, Xin LI <delphij@gmail.com>,
 Mathieu Arnold <mat@freebsd.org>, Jung-Uk Kim <jkim@freebsd.org>,
 Bryan Drewery <bdrewery@freebsd.org>, Xin LI <delphij@freebsd.org>,
 "src-committers@freebsd.org" <src-committers@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 svn-src-releng@freebsd.org
Message-Id: <F14D28E4-4458-4208-8215-DB8998D62E2E@FreeBSD.org>
References: <201603071622.u27GMC4a082792@repo.freebsd.org>
 <9B6D673B7B15CCDC424E97A8@atuin.in.mat.cc> <56DEFD08.6050100@FreeBSD.org>
 <63FB9E5BBBF224CA12839457@ogg.in.absolight.net>
 <56DEFDF5.2040500@FreeBSD.org>
 <1E2DCDEE8775312979CE7D0B@ogg.in.absolight.net>
 <56DF0234.2090307@FreeBSD.org> <56DF025B.1090706@FreeBSD.org>
 <DC10EFD5F03DA877503B6C3E@ogg.in.absolight.net>
 <56DF0550.6000604@FreeBSD.org> <E24637388915226D9A922B8B@atuin.in.mat.cc>
 <CAGMYy3tfrty-8r-Efzzd56d4AOdV0H+ParrkUtBWR4f+0ZtxWw@mail.gmail.com>
 <CAALwa8mXg-eE3tZ1R=LAd9nWNAmTkqPmrSaZAmtrQ=u4-=wEeg@mail.gmail.com>
 <56DFEA05.6060501@delphij.net>
 <2E9527A1-C869-48DA-9554-2A96F1735F8C@FreeBSD.org>
To: Xin Li <delphij@delphij.net>
X-Mailer: Apple Mail (2.3112)
X-Mailman-Approved-At: Wed, 09 Mar 2016 22:35:55 +0000
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 21:31:32 -0000


--Apple-Mail=_72D411A8-F978-43D7-9D8A-0850E89E6F98
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

On 09 Mar 2016, at 21:39, Dimitry Andric <dim@FreeBSD.org> wrote:
>=20
> On 09 Mar 2016, at 10:16, Xin Li <delphij@delphij.net> wrote:
>>=20
>> FYI -- I can confirm that libcrypto is broken and have a reliable way =
to
>> trigger it.
>>=20
>> So far I was able to narrow down this to this change and here is a
>> temporary workaround (which will reintroduce CVE-2016-0702).
>>=20
>> Cheers,
>> <bn-revert.diff>
>=20
> FWIW, before the workaround I get this from valgrind:
>=20
> =3D=3D10050=3D=3D Invalid read of size 8
> =3D=3D10050=3D=3D    at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF =
(bn_exp.c:585)
> =3D=3D10050=3D=3D    by 0x6BA3438: BN_mod_exp_mont_consttime =
(bn_exp.c:760)
> =3D=3D10050=3D=3D    by 0x6B84AB7: ??? (dh_key.c:156)
> =3D=3D10050=3D=3D    by 0x4E4550B: ssh_dh_gen_key (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x42AEBF: kexgex_server (kexgexs.c:115)
> =3D=3D10050=3D=3D    by 0x4E545FE: ssh_kex_input_kexinit (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x4E54BBE: ssh_dispatch_run (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x41085C: do_ssh2_kex (sshd.c:2559)
> =3D=3D10050=3D=3D    by 0x41085C: main (sshd.c:2162)
> =3D=3D10050=3D=3D  Address 0x2078f3580 is not stack'd, malloc'd or =
(recently) free'd
> =3D=3D10050=3D=3D
> =3D=3D10050=3D=3D
> =3D=3D10050=3D=3D Process terminating with default action of signal 11 =
(SIGSEGV): dumping core
> =3D=3D10050=3D=3D  Access not within mapped region at address =
0x2078F3580
> =3D=3D10050=3D=3D    at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF =
(bn_exp.c:585)
> =3D=3D10050=3D=3D    by 0x6BA3438: BN_mod_exp_mont_consttime =
(bn_exp.c:760)
> =3D=3D10050=3D=3D    by 0x6B84AB7: ??? (dh_key.c:156)
> =3D=3D10050=3D=3D    by 0x4E4550B: ssh_dh_gen_key (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x42AEBF: kexgex_server (kexgexs.c:115)
> =3D=3D10050=3D=3D    by 0x4E545FE: ssh_kex_input_kexinit (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x4E54BBE: ssh_dispatch_run (in =
/usr/lib/private/libssh.so.5)
> =3D=3D10050=3D=3D    by 0x41085C: do_ssh2_kex (sshd.c:2559)
> =3D=3D10050=3D=3D    by 0x41085C: main (sshd.c:2162)
> =3D=3D10050=3D=3D  If you believe this happened as a result of a stack
> =3D=3D10050=3D=3D  overflow in your program's main thread (unlikely =
but
> =3D=3D10050=3D=3D  possible), you can try to increase the size of the
> =3D=3D10050=3D=3D  main thread stack using the --main-stacksize=3D =
flag.
> =3D=3D10050=3D=3D  The main thread stack size used in this run was =
16777216.

I think this is a possible fix (it works for me, at least):

Index: crypto/openssl/crypto/bn/bn_exp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- crypto/openssl/crypto/bn/bn_exp.c   (revision 296469)
+++ crypto/openssl/crypto/bn/bn_exp.c   (working copy)
@@ -758,7 +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BI
          * Fetch the appropriate pre-computed value from the pre-buf
          */
         if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
-            (computeTemp, top, powerbuf, wvalue, numPowers))
+            (computeTemp, top, powerbuf, wvalue, window))
             goto err;

         /* Multiply the result into the intermediate result */

Can people experiencing this problem please apply the above diff to
their openssl, rebuild secure/lib/libcrypto, install it, then restart
sshd and/or whatever daemon you have seen the crashes with?

-Dimitry


--Apple-Mail=_72D411A8-F978-43D7-9D8A-0850E89E6F98
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.29

iEYEARECAAYFAlbgljAACgkQsF6jCi4glqOaJACg1b5D1MkecdIt+NKWk+5tAasm
B8IAoPxqgIr50nIyy5nqMV+sRi3UPopY
=YSAI
-----END PGP SIGNATURE-----

--Apple-Mail=_72D411A8-F978-43D7-9D8A-0850E89E6F98--