svn commit: r296465 - in releng/9.3: . crypto/openssl crypto/openssl/apps crypto/openssl/bugs crypto/openssl/crypto crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf cry...

Wed Mar 9 21:31:32 UTC 2016

On 09 Mar 2016, at 21:39, Dimitry Andric <dim at FreeBSD.org> wrote:
> 
> On 09 Mar 2016, at 10:16, Xin Li <delphij at delphij.net> wrote:
>> 
>> FYI -- I can confirm that libcrypto is broken and have a reliable way to
>> trigger it.
>> 
>> So far I was able to narrow down this to this change and here is a
>> temporary workaround (which will reintroduce CVE-2016-0702).
>> 
>> Cheers,
>> <bn-revert.diff>
> 
> FWIW, before the workaround I get this from valgrind:
> 
> ==10050== Invalid read of size 8
> ==10050==    at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585)
> ==10050==    by 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760)
> ==10050==    by 0x6B84AB7: ??? (dh_key.c:156)
> ==10050==    by 0x4E4550B: ssh_dh_gen_key (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x42AEBF: kexgex_server (kexgexs.c:115)
> ==10050==    by 0x4E545FE: ssh_kex_input_kexinit (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x4E54BBE: ssh_dispatch_run (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x41085C: do_ssh2_kex (sshd.c:2559)
> ==10050==    by 0x41085C: main (sshd.c:2162)
> ==10050==  Address 0x2078f3580 is not stack'd, malloc'd or (recently) free'd
> ==10050==
> ==10050==
> ==10050== Process terminating with default action of signal 11 (SIGSEGV): dumping core
> ==10050==  Access not within mapped region at address 0x2078F3580
> ==10050==    at 0x6BA3438: MOD_EXP_CTIME_COPY_FROM_PREBUF (bn_exp.c:585)
> ==10050==    by 0x6BA3438: BN_mod_exp_mont_consttime (bn_exp.c:760)
> ==10050==    by 0x6B84AB7: ??? (dh_key.c:156)
> ==10050==    by 0x4E4550B: ssh_dh_gen_key (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x42AEBF: kexgex_server (kexgexs.c:115)
> ==10050==    by 0x4E545FE: ssh_kex_input_kexinit (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x4E54BBE: ssh_dispatch_run (in /usr/lib/private/libssh.so.5)
> ==10050==    by 0x41085C: do_ssh2_kex (sshd.c:2559)
> ==10050==    by 0x41085C: main (sshd.c:2162)
> ==10050==  If you believe this happened as a result of a stack
> ==10050==  overflow in your program's main thread (unlikely but
> ==10050==  possible), you can try to increase the size of the
> ==10050==  main thread stack using the --main-stacksize= flag.
> ==10050==  The main thread stack size used in this run was 16777216.

I think this is a possible fix (it works for me, at least):

Index: crypto/openssl/crypto/bn/bn_exp.c
===================================================================

--- crypto/openssl/crypto/bn/bn_exp.c   (revision 296469)
+++ crypto/openssl/crypto/bn/bn_exp.c   (working copy)
@@ -758,7 +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BI
          * Fetch the appropriate pre-computed value from the pre-buf
          */
         if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
-            (computeTemp, top, powerbuf, wvalue, numPowers))
+            (computeTemp, top, powerbuf, wvalue, window))
             goto err;

         /* Multiply the result into the intermediate result */

Can people experiencing this problem please apply the above diff to
their openssl, rebuild secure/lib/libcrypto, install it, then restart
sshd and/or whatever daemon you have seen the crashes with?

-Dimitry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20160309/9162cdd6/attachment.sig>
