Date: Wed, 9 Mar 2016 17:19:02 -0500 From: Jung-uk Kim <jkim@FreeBSD.org> To: Dimitry Andric <dim@FreeBSD.org>, Xin Li <delphij@delphij.net> Cc: Antoine Brodin <antoine@FreeBSD.org>, Xin LI <delphij@gmail.com>, Mathieu Arnold <mat@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org>, Xin LI <delphij@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, svn-src-releng@freebsd.org Subject: Re: svn commit: r296465 - in releng/9.3: . crypto/openssl crypto/openssl/apps crypto/openssl/bugs crypto/openssl/crypto crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf cry... Message-ID: <56E0A156.4040303@FreeBSD.org> In-Reply-To: <F14D28E4-4458-4208-8215-DB8998D62E2E@FreeBSD.org> References: <201603071622.u27GMC4a082792@repo.freebsd.org> <9B6D673B7B15CCDC424E97A8@atuin.in.mat.cc> <56DEFD08.6050100@FreeBSD.org> <63FB9E5BBBF224CA12839457@ogg.in.absolight.net> <56DEFDF5.2040500@FreeBSD.org> <1E2DCDEE8775312979CE7D0B@ogg.in.absolight.net> <56DF0234.2090307@FreeBSD.org> <56DF025B.1090706@FreeBSD.org> <DC10EFD5F03DA877503B6C3E@ogg.in.absolight.net> <56DF0550.6000604@FreeBSD.org> <E24637388915226D9A922B8B@atuin.in.mat.cc> <CAGMYy3tfrty-8r-Efzzd56d4AOdV0H%2BParrkUtBWR4f%2B0ZtxWw@mail.gmail.com> <CAALwa8mXg-eE3tZ1R=LAd9nWNAmTkqPmrSaZAmtrQ=u4-=wEeg@mail.gmail.com> <56DFEA05.6060501@delphij.net> <2E9527A1-C869-48DA-9554-2A96F1735F8C@FreeBSD.org> <F14D28E4-4458-4208-8215-DB8998D62E2E@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/ 9/16 04:31 PM, Dimitry Andric wrote: > On 09 Mar 2016, at 21:39, Dimitry Andric <dim@FreeBSD.org> wrote: >> >> On 09 Mar 2016, at 10:16, Xin Li <delphij@delphij.net> wrote: >>> >>> FYI -- I can confirm that libcrypto is broken and have a >>> reliable way to trigger it. >>> >>> So far I was able to narrow down this to this change and here >>> is a temporary workaround (which will reintroduce >>> CVE-2016-0702). >>> >>> Cheers, <bn-revert.diff> >> >> FWIW, before the workaround I get this from valgrind: >> >> ==10050== Invalid read of size 8 ==10050== at 0x6BA3438: >> MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585) ==10050== by >> 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760) ==10050== by >> 0x6B84AB7: ??? (dh_key.c:156) ==10050== by 0x4E4550B: >> ssh_dh_gen_key (in /usr/lib/private/libssh.so.5) ==10050== by >> 0x42AEBF: kexgex_server (kexgexs.c:115) ==10050== by >> 0x4E545FE: ssh_kex_input_kexinit (in >> /usr/lib/private/libssh.so.5) ==10050== by 0x4E54BBE: >> ssh_dispatch_run (in /usr/lib/private/libssh.so.5) ==10050== by >> 0x41085C: do_ssh2_kex (sshd.c:2559) ==10050== by 0x41085C: >> main (sshd.c:2162) ==10050== Address 0x2078f3580 is not >> stack'd, malloc'd or (recently) free'd ==10050== ==10050== >> ==10050== Process terminating with default action of signal 11 >> (SIGSEGV): dumping core ==10050== Access not within mapped >> region at address 0x2078F3580 ==10050== at 0x6BA3438: >> MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585) ==10050== by >> 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760) ==10050== by >> 0x6B84AB7: ??? (dh_key.c:156) ==10050== by 0x4E4550B: >> ssh_dh_gen_key (in /usr/lib/private/libssh.so.5) ==10050== by >> 0x42AEBF: kexgex_server (kexgexs.c:115) ==10050== by >> 0x4E545FE: ssh_kex_input_kexinit (in >> /usr/lib/private/libssh.so.5) ==10050== by 0x4E54BBE: >> ssh_dispatch_run (in /usr/lib/private/libssh.so.5) ==10050== by >> 0x41085C: do_ssh2_kex (sshd.c:2559) ==10050== by 0x41085C: >> main (sshd.c:2162) ==10050== If you believe this happened as a >> result of a stack ==10050== overflow in your program's main >> thread (unlikely but ==10050== possible), you can try to >> increase the size of the ==10050== main thread stack using the >> --main-stacksize= flag. ==10050== The main thread stack size >> used in this run was 16777216. > > I think this is a possible fix (it works for me, at least): > > Index: crypto/openssl/crypto/bn/bn_exp.c > =================================================================== > > > > > - --- crypto/openssl/crypto/bn/bn_exp.c (revision 296469) > +++ crypto/openssl/crypto/bn/bn_exp.c (working copy) @@ -758,7 > +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BI * > Fetch the appropriate pre-computed value from the pre-buf */ if > (!MOD_EXP_CTIME_COPY_FROM_PREBUF - (computeTemp, top, > powerbuf, wvalue, numPowers)) + (computeTemp, top, > powerbuf, wvalue, window)) goto err; > > /* Multiply the result into the intermediate result */ > > Can people experiencing this problem please apply the above diff to > their openssl, rebuild secure/lib/libcrypto, install it, then > restart sshd and/or whatever daemon you have seen the crashes > with? [My PC had multiple PSU failures and I just recovered from the disaster. I am very sorry for the late response.] I haven't tested it but it looks correct. I don't know how I missed it in the first place. :-( JK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW4KFSAAoJEHyflib82/FGGt8H/iaaxbks7copI9O4oCs229RG UlLxx1XsrYkdStEqJHg4OXgXr6kIdkSpBBJjYs3DlOFKL5Vin0PTenfDV0i0a0/l MbawMhWX6xhNaUKSHVguXJeGZUGT4pYQe6pZoZYT2ZrAq5eEavk/y0qlwPK4xV50 A/xXsfgLGwruMZjJ4JJ7N4CZMByyKu7jAhnveDFS3A87HOve48HEGpHY/UDmWvZ1 t1JX0e7ZCO+frHAwYdBkMG9w4ozQ26PjGTyJuL/852GORaxt+5kZ4Uj2/jLjxIIj pnFJ1CrzjFKqX3+03QaOi+hFlBPyQ/CMyMg03fO5MQqTys3ehObujRmfE1mhCZs= =KShP -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56E0A156.4040303>