Date: Wed, 9 Mar 2016 21:39:58 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Xin Li <delphij@delphij.net> Cc: Antoine Brodin <antoine@FreeBSD.org>, Xin LI <delphij@gmail.com>, Mathieu Arnold <mat@freebsd.org>, Jung-Uk Kim <jkim@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org>, Xin LI <delphij@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, svn-src-releng@freebsd.org Subject: Re: svn commit: r296465 - in releng/9.3: . crypto/openssl crypto/openssl/apps crypto/openssl/bugs crypto/openssl/crypto crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf cry... Message-ID: <2E9527A1-C869-48DA-9554-2A96F1735F8C@FreeBSD.org> In-Reply-To: <56DFEA05.6060501@delphij.net> References: <201603071622.u27GMC4a082792@repo.freebsd.org> <9B6D673B7B15CCDC424E97A8@atuin.in.mat.cc> <56DEFD08.6050100@FreeBSD.org> <63FB9E5BBBF224CA12839457@ogg.in.absolight.net> <56DEFDF5.2040500@FreeBSD.org> <1E2DCDEE8775312979CE7D0B@ogg.in.absolight.net> <56DF0234.2090307@FreeBSD.org> <56DF025B.1090706@FreeBSD.org> <DC10EFD5F03DA877503B6C3E@ogg.in.absolight.net> <56DF0550.6000604@FreeBSD.org> <E24637388915226D9A922B8B@atuin.in.mat.cc> <CAGMYy3tfrty-8r-Efzzd56d4AOdV0H%2BParrkUtBWR4f%2B0ZtxWw@mail.gmail.com> <CAALwa8mXg-eE3tZ1R=LAd9nWNAmTkqPmrSaZAmtrQ=u4-=wEeg@mail.gmail.com> <56DFEA05.6060501@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_AA17955F-1DCE-4BA2-B503-80692C2DCCA2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 09 Mar 2016, at 10:16, Xin Li <delphij@delphij.net> wrote: >=20 > FYI -- I can confirm that libcrypto is broken and have a reliable way = to > trigger it. >=20 > So far I was able to narrow down this to this change and here is a > temporary workaround (which will reintroduce CVE-2016-0702). >=20 > Cheers, > <bn-revert.diff> FWIW, before the workaround I get this from valgrind: =3D=3D10050=3D=3D Invalid read of size 8 =3D=3D10050=3D=3D at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF = (bn_exp.c:585) =3D=3D10050=3D=3D by 0x6BA3438: BN_mod_exp_mont_consttime = (bn_exp.c:760) =3D=3D10050=3D=3D by 0x6B84AB7: ??? (dh_key.c:156) =3D=3D10050=3D=3D by 0x4E4550B: ssh_dh_gen_key (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x42AEBF: kexgex_server (kexgexs.c:115) =3D=3D10050=3D=3D by 0x4E545FE: ssh_kex_input_kexinit (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x4E54BBE: ssh_dispatch_run (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x41085C: do_ssh2_kex (sshd.c:2559) =3D=3D10050=3D=3D by 0x41085C: main (sshd.c:2162) =3D=3D10050=3D=3D Address 0x2078f3580 is not stack'd, malloc'd or = (recently) free'd =3D=3D10050=3D=3D =3D=3D10050=3D=3D =3D=3D10050=3D=3D Process terminating with default action of signal 11 = (SIGSEGV): dumping core =3D=3D10050=3D=3D Access not within mapped region at address = 0x2078F3580 =3D=3D10050=3D=3D at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF = (bn_exp.c:585) =3D=3D10050=3D=3D by 0x6BA3438: BN_mod_exp_mont_consttime = (bn_exp.c:760) =3D=3D10050=3D=3D by 0x6B84AB7: ??? (dh_key.c:156) =3D=3D10050=3D=3D by 0x4E4550B: ssh_dh_gen_key (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x42AEBF: kexgex_server (kexgexs.c:115) =3D=3D10050=3D=3D by 0x4E545FE: ssh_kex_input_kexinit (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x4E54BBE: ssh_dispatch_run (in = /usr/lib/private/libssh.so.5) =3D=3D10050=3D=3D by 0x41085C: do_ssh2_kex (sshd.c:2559) =3D=3D10050=3D=3D by 0x41085C: main (sshd.c:2162) =3D=3D10050=3D=3D If you believe this happened as a result of a stack =3D=3D10050=3D=3D overflow in your program's main thread (unlikely but =3D=3D10050=3D=3D possible), you can try to increase the size of the =3D=3D10050=3D=3D main thread stack using the --main-stacksize=3D flag. =3D=3D10050=3D=3D The main thread stack size used in this run was = 16777216. -Dimitry --Apple-Mail=_AA17955F-1DCE-4BA2-B503-80692C2DCCA2 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.29 iEYEARECAAYFAlbgiiIACgkQsF6jCi4glqO/TACg8wnXNM/4bSChip4c1XG9wN23 3z8AoM2kOpFsIa2xWLAACSnL39ad1plF =BCdJ -----END PGP SIGNATURE----- --Apple-Mail=_AA17955F-1DCE-4BA2-B503-80692C2DCCA2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2E9527A1-C869-48DA-9554-2A96F1735F8C>