From owner-freebsd-stable@FreeBSD.ORG  Thu Nov  8 19:40:09 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id EE25BE51
 for <freebsd-stable@freebsd.org>; Thu,  8 Nov 2012 19:40:09 +0000 (UTC)
 (envelope-from michiel@boland.org)
Received: from smtp-vbr19.xs4all.nl (smtp-vbr19.xs4all.nl [194.109.24.39])
 by mx1.freebsd.org (Postfix) with ESMTP id 81E4E8FC0A
 for <freebsd-stable@freebsd.org>; Thu,  8 Nov 2012 19:40:08 +0000 (UTC)
Received: from charlemagne.boland.org (37-251-66-226.FTTH.ispfabriek.nl
 [37.251.66.226]) (authenticated bits=0)
 by smtp-vbr19.xs4all.nl (8.13.8/8.13.8) with ESMTP id qA8JdTwW090609
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 8 Nov 2012 20:39:31 +0100 (CET)
 (envelope-from michiel@boland.org)
Message-ID: <509C0A71.1060309@boland.org>
Date: Thu, 08 Nov 2012 20:39:29 +0100
From: Michiel Boland <michiel@boland.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:16.0) Gecko/20121029 Thunderbird/16.0.2
MIME-Version: 1.0
To: Jan Mikkelsen <janm@transactionware.com>
Subject: Re: dc(1) fails with "big number failure" on 2^64
References: <2ABD38E2-A9F7-4AD3-9364-B21F6566F7CB@transactionware.com>
 <509BFAA1.8000201@xs4all.nl>
In-Reply-To: <509BFAA1.8000201@xs4all.nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by XS4ALL Virus Scanner
Cc: FreeBSD Stable <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 19:40:10 -0000

On 11/08/2012 19:32, Michiel Boland wrote:
[...]
> No fix, but I see a problem in the BN_add_word function in
> /usr/src/crypto/openssl/crypto/bn/bn_word.c

Small test case:-

#include <openssl/bn.h>
#include <limits.h>

int main()
{
         BIGNUM *n;

         n = BN_new();
         BN_set_word(n, ULONG_MAX - 1);
         BN_add_word(n, 2);
         BN_free(n);
         return 0;
}


$ gcc x.c -lcrypto
$ valgrind ./a.out
==30682== Memcheck, a memory error detector
==30682== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==30682== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==30682== Command: ./a.out
==30682==
==30682== Invalid write of size 8
==30682==    at 0x1328EA8: BN_add_word (bn_word.c:158)
==30682==    by 0x40076E: main (in /usr/home/boland/a.out)
==30682==  Address 0x18fc0a8 is 0 bytes after a block of size 8 alloc'd
==30682==    at 0x100410B: malloc (in 
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==30682==    by 0x1331B82: CRYPTO_malloc (mem.c:328)
==30682==    by 0x1330F76: ??? (bn_lib.c:317)
==30682==    by 0x13310C7: bn_expand2 (bn_lib.c:432)
==30682==    by 0x133121C: BN_set_word (bn_lib.c:570)
==30682==    by 0x400760: main (in /usr/home/boland/a.out)