Date: Fri, 9 Nov 2012 16:10:31 +1100 From: Jan Mikkelsen <janm@transactionware.com> To: Michiel Boland <michiel@boland.org>, FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: dc(1) fails with "big number failure" on 2^64 Message-ID: <3A09BDDE-70C3-4235-8B48-67EF10984B94@transactionware.com> In-Reply-To: <509C0A71.1060309@boland.org> References: <2ABD38E2-A9F7-4AD3-9364-B21F6566F7CB@transactionware.com> <509BFAA1.8000201@xs4all.nl> <509C0A71.1060309@boland.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Great, the test case is very useful.
I have applied the following patch to crypto/bn/bn_word.c, which fixes =
the problem for me.
--- =
//depot/vendor/freebsd/9.1-local/src/crypto/openssl/crypto/bn/bn_word.c =
2012-08-13 00:32:35.000000000 1000
+++ =
/data/scratch/janm/p4/freebsd-image-std-2011.1/FreeBSD/src/crypto/openssl/=
crypto/bn/bn_word.c 2012-08-13 00:32:35.000000000 1000
@@ -145,9 +145,11 @@
return(i);
}
/* Only expand (and risk failing) if it's possibly necessary */
- if (((BN_ULONG)(a->d[a->top - 1] + 1) =3D=3D 0) &&
- (bn_wexpand(a,a->top+1) =3D=3D NULL))
- return(0);
+ if (
+ (((a->top =3D=3D 1) && (BN_MASK2 - w < a->d[0])) ||
+ ((a->top > 1) && ((BN_ULONG)(a->d[a->top - 1] + 1) =3D=3D=
0))) &&
+ (bn_wexpand(a,a->top+1) =3D=3D NULL))
+ return(0);
i=3D0;
for (;;)
{
This is a heap overflow in BN_add_word. I don't know what other problems =
this could cause beyond bc and dc returning crap ...
Regards,
Jan.
On 09/11/2012, at 6:39 AM, Michiel Boland <michiel@boland.org> wrote:
> On 11/08/2012 19:32, Michiel Boland wrote:
> [...]
>> No fix, but I see a problem in the BN_add_word function in
>> /usr/src/crypto/openssl/crypto/bn/bn_word.c
>=20
> Small test case:-
>=20
> #include <openssl/bn.h>
> #include <limits.h>
>=20
> int main()
> {
> BIGNUM *n;
>=20
> n =3D BN_new();
> BN_set_word(n, ULONG_MAX - 1);
> BN_add_word(n, 2);
> BN_free(n);
> return 0;
> }
>=20
>=20
> $ gcc x.c -lcrypto
> $ valgrind ./a.out
> =3D=3D30682=3D=3D Memcheck, a memory error detector
> =3D=3D30682=3D=3D Copyright (C) 2002-2011, and GNU GPL'd, by Julian =
Seward et al.
> =3D=3D30682=3D=3D Using Valgrind-3.7.0 and LibVEX; rerun with -h for =
copyright info
> =3D=3D30682=3D=3D Command: ./a.out
> =3D=3D30682=3D=3D
> =3D=3D30682=3D=3D Invalid write of size 8
> =3D=3D30682=3D=3D at 0x1328EA8: BN_add_word (bn_word.c:158)
> =3D=3D30682=3D=3D by 0x40076E: main (in /usr/home/boland/a.out)
> =3D=3D30682=3D=3D Address 0x18fc0a8 is 0 bytes after a block of size =
8 alloc'd
> =3D=3D30682=3D=3D at 0x100410B: malloc (in =
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
> =3D=3D30682=3D=3D by 0x1331B82: CRYPTO_malloc (mem.c:328)
> =3D=3D30682=3D=3D by 0x1330F76: ??? (bn_lib.c:317)
> =3D=3D30682=3D=3D by 0x13310C7: bn_expand2 (bn_lib.c:432)
> =3D=3D30682=3D=3D by 0x133121C: BN_set_word (bn_lib.c:570)
> =3D=3D30682=3D=3D by 0x400760: main (in /usr/home/boland/a.out)
>=20
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to =
"freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A09BDDE-70C3-4235-8B48-67EF10984B94>