From owner-svn-src-all@freebsd.org  Wed Mar  9 22:19:04 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C6B0ACA668;
 Wed,  9 Mar 2016 22:19:04 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 547EF109D;
 Wed,  9 Mar 2016 22:19:03 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Subject: Re: svn commit: r296465 - in releng/9.3: . crypto/openssl
 crypto/openssl/apps crypto/openssl/bugs crypto/openssl/crypto
 crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf
 cry...
To: Dimitry Andric <dim@FreeBSD.org>, Xin Li <delphij@delphij.net>
References: <201603071622.u27GMC4a082792@repo.freebsd.org>
 <9B6D673B7B15CCDC424E97A8@atuin.in.mat.cc> <56DEFD08.6050100@FreeBSD.org>
 <63FB9E5BBBF224CA12839457@ogg.in.absolight.net>
 <56DEFDF5.2040500@FreeBSD.org>
 <1E2DCDEE8775312979CE7D0B@ogg.in.absolight.net>
 <56DF0234.2090307@FreeBSD.org> <56DF025B.1090706@FreeBSD.org>
 <DC10EFD5F03DA877503B6C3E@ogg.in.absolight.net>
 <56DF0550.6000604@FreeBSD.org> <E24637388915226D9A922B8B@atuin.in.mat.cc>
 <CAGMYy3tfrty-8r-Efzzd56d4AOdV0H+ParrkUtBWR4f+0ZtxWw@mail.gmail.com>
 <CAALwa8mXg-eE3tZ1R=LAd9nWNAmTkqPmrSaZAmtrQ=u4-=wEeg@mail.gmail.com>
 <56DFEA05.6060501@delphij.net>
 <2E9527A1-C869-48DA-9554-2A96F1735F8C@FreeBSD.org>
 <F14D28E4-4458-4208-8215-DB8998D62E2E@FreeBSD.org>
Cc: Antoine Brodin <antoine@FreeBSD.org>, Xin LI <delphij@gmail.com>,
 Mathieu Arnold <mat@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org>,
 Xin LI <delphij@freebsd.org>,
 "src-committers@freebsd.org" <src-committers@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 svn-src-releng@freebsd.org
From: Jung-uk Kim <jkim@FreeBSD.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <56E0A156.4040303@FreeBSD.org>
Date: Wed, 9 Mar 2016 17:19:02 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <F14D28E4-4458-4208-8215-DB8998D62E2E@FreeBSD.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Wed, 09 Mar 2016 22:36:06 +0000
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 22:19:04 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/ 9/16 04:31 PM, Dimitry Andric wrote:
> On 09 Mar 2016, at 21:39, Dimitry Andric <dim@FreeBSD.org> wrote:
>> 
>> On 09 Mar 2016, at 10:16, Xin Li <delphij@delphij.net> wrote:
>>> 
>>> FYI -- I can confirm that libcrypto is broken and have a 
>>> reliable way to trigger it.
>>> 
>>> So far I was able to narrow down this to this change and here 
>>> is a temporary workaround (which will reintroduce 
>>> CVE-2016-0702).
>>> 
>>> Cheers, <bn-revert.diff>
>> 
>> FWIW, before the workaround I get this from valgrind:
>> 
>> ==10050== Invalid read of size 8 ==10050==    at 0x6BA3438: 
>> MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585) ==10050==    by 
>> 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760) ==10050== by
>>  0x6B84AB7: ??? (dh_key.c:156) ==10050==    by 0x4E4550B: 
>> ssh_dh_gen_key (in /usr/lib/private/libssh.so.5) ==10050==    by 
>> 0x42AEBF: kexgex_server (kexgexs.c:115) ==10050==    by 
>> 0x4E545FE: ssh_kex_input_kexinit (in 
>> /usr/lib/private/libssh.so.5) ==10050==    by 0x4E54BBE: 
>> ssh_dispatch_run (in /usr/lib/private/libssh.so.5) ==10050== by 
>> 0x41085C: do_ssh2_kex (sshd.c:2559) ==10050==    by 0x41085C: 
>> main (sshd.c:2162) ==10050==  Address 0x2078f3580 is not
>> stack'd, malloc'd or (recently) free'd ==10050== ==10050==
>> ==10050== Process terminating with default action of signal 11
>> (SIGSEGV): dumping core ==10050==  Access not within mapped
>> region at address 0x2078F3580 ==10050==    at 0x6BA3438: 
>> MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585) ==10050==    by 
>> 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760) ==10050== by
>>  0x6B84AB7: ??? (dh_key.c:156) ==10050==    by 0x4E4550B: 
>> ssh_dh_gen_key (in /usr/lib/private/libssh.so.5) ==10050==    by 
>> 0x42AEBF: kexgex_server (kexgexs.c:115) ==10050==    by 
>> 0x4E545FE: ssh_kex_input_kexinit (in 
>> /usr/lib/private/libssh.so.5) ==10050==    by 0x4E54BBE: 
>> ssh_dispatch_run (in /usr/lib/private/libssh.so.5) ==10050== by 
>> 0x41085C: do_ssh2_kex (sshd.c:2559) ==10050==    by 0x41085C: 
>> main (sshd.c:2162) ==10050==  If you believe this happened as a 
>> result of a stack ==10050==  overflow in your program's main 
>> thread (unlikely but ==10050==  possible), you can try to 
>> increase the size of the ==10050==  main thread stack using the 
>> --main-stacksize= flag. ==10050==  The main thread stack size 
>> used in this run was 16777216.
> 
> I think this is a possible fix (it works for me, at least):
> 
> Index: crypto/openssl/crypto/bn/bn_exp.c 
> ===================================================================
>
>
>
>
> 
- --- crypto/openssl/crypto/bn/bn_exp.c   (revision 296469)
> +++ crypto/openssl/crypto/bn/bn_exp.c   (working copy) @@ -758,7 
> +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BI * 
> Fetch the appropriate pre-computed value from the pre-buf */ if 
> (!MOD_EXP_CTIME_COPY_FROM_PREBUF -            (computeTemp, top, 
> powerbuf, wvalue, numPowers)) +            (computeTemp, top, 
> powerbuf, wvalue, window)) goto err;
> 
> /* Multiply the result into the intermediate result */
> 
> Can people experiencing this problem please apply the above diff to
> their openssl, rebuild secure/lib/libcrypto, install it, then 
> restart sshd and/or whatever daemon you have seen the crashes 
> with?

[My PC had multiple PSU failures and I just recovered from the
disaster.  I am very sorry for the late response.]

I haven't tested it but it looks correct.  I don't know how I missed
it in the first place. :-(

JK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJW4KFSAAoJEHyflib82/FGGt8H/iaaxbks7copI9O4oCs229RG
UlLxx1XsrYkdStEqJHg4OXgXr6kIdkSpBBJjYs3DlOFKL5Vin0PTenfDV0i0a0/l
MbawMhWX6xhNaUKSHVguXJeGZUGT4pYQe6pZoZYT2ZrAq5eEavk/y0qlwPK4xV50
A/xXsfgLGwruMZjJ4JJ7N4CZMByyKu7jAhnveDFS3A87HOve48HEGpHY/UDmWvZ1
t1JX0e7ZCO+frHAwYdBkMG9w4ozQ26PjGTyJuL/852GORaxt+5kZ4Uj2/jLjxIIj
pnFJ1CrzjFKqX3+03QaOi+hFlBPyQ/CMyMg03fO5MQqTys3ehObujRmfE1mhCZs=
=KShP
-----END PGP SIGNATURE-----